All the latest UK technology news, reviews and analysis

OpenSSL man-in-the-middle flaw found after 16 years

06 Jun 2014

A 16-year-old flaw in OpenSSL has been uncovered, just two months after the Heartbleed saga came to light.

An advisory notice on the OpenSSL website reports that a man-in-the-middle vulnerability – referred to as CVE-2014-0224 – was uncovered by security researcher Masashi Kikuchi.

“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” the advisory states.

It adds that the attack can only be performed if both the client and server are vulnerable, which will be the case if servers are running OpenSSL 1.0.1 or 1.0.2-beta1.

“Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution,” the notice says.

Kikuchi helped to produce a fix for the problem that was finalised by Stephen Henson of the OpenSSL core team and is available to download and install from here.

Kikuchi provided more information on how he uncovered the bug on a blog post, revealing that the issue had never been found before due to insufficient code checks.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," he wrote.

“If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code and they could have detected the problem.”

Nicholas Percoco, vice president of strategic services at security firm Rapid7, said that given most servers had been upgraded to the most recent version after Heartbleed, millions could be affected by this latest threat.

"The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent.

"This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year.”

The latest security woes around OpenSSL show that the two new staff being sought by The Linux Foundation to work on the technology will have plenty to keep them occupied.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Head of Software Development Manager

I am looking for a Head of Software Development...

Embedded C Software Engineer - Microcontrollers

Embedded Software Engineer - Microcontrollers Location...

Systems Analyst (ERP)

Systems Analyst / Business Analyst / ERP / Oracle / SAP...

Senior Infrastructure Engineer - Hull - East Yorkshire

This client is a growing Service provider with multiple...
To send to more than one email address, simply separate each address with a comma.