A 16-year-old flaw in OpenSSL has been uncovered, just two months after the Heartbleed saga came to light.
An advisory notice on the OpenSSL website reports that a man-in-the-middle vulnerability – referred to as CVE-2014-0224 – was uncovered by security researcher Masashi Kikuchi.
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” the advisory states.
It adds that the attack can only be performed if both the client and server are vulnerable, which will be the case if servers are running OpenSSL 1.0.1 or 1.0.2-beta1.
“Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution,” the notice says.
Kikuchi helped to produce a fix for the problem that was finalised by Stephen Henson of the OpenSSL core team and is available to download and install from here.
Kikuchi provided more information on how he uncovered the bug on a blog post, revealing that the issue had never been found before due to insufficient code checks.
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," he wrote.
“If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code and they could have detected the problem.”
Nicholas Percoco, vice president of strategic services at security firm Rapid7, said that given most servers had been upgraded to the most recent version after Heartbleed, millions could be affected by this latest threat.
"The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent.
"This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year.”
The latest security woes around OpenSSL show that the two new staff being sought by The Linux Foundation to work on the technology will have plenty to keep them occupied.
Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal.