All the latest UK technology news, reviews and analysis


OpenSSL man-in-the-middle flaw found after 16 years

06 Jun 2014
cyber-security-web

A 16-year-old flaw in OpenSSL has been uncovered, just two months after the Heartbleed saga came to light.

An advisory notice on the OpenSSL website reports that a man-in-the-middle vulnerability – referred to as CVE-2014-0224 – was uncovered by security researcher Masashi Kikuchi.

“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” the advisory states.

It adds that the attack can only be performed if both the client and server are vulnerable, which will be the case if servers are running OpenSSL 1.0.1 or 1.0.2-beta1.

“Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution,” the notice says.

Kikuchi helped to produce a fix for the problem that was finalised by Stephen Henson of the OpenSSL core team and is available to download and install from here.

Kikuchi provided more information on how he uncovered the bug on a blog post, revealing that the issue had never been found before due to insufficient code checks.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," he wrote.

“If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code and they could have detected the problem.”

Nicholas Percoco, vice president of strategic services at security firm Rapid7, said that given most servers had been upgraded to the most recent version after Heartbleed, millions could be affected by this latest threat.

"The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent.

"This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year.”

The latest security woes around OpenSSL show that the two new staff being sought by The Linux Foundation to work on the technology will have plenty to keep them occupied.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Dan Worth
About

Dan Worth is the news editor for V3 having first joined the site as a reporter in November 2009. He specialises in a raft of areas including fixed and mobile telecoms, data protection, social media and government IT. Before joining V3 Dan covered communications technology, data handling and resilience in the emergency services sector on the BAPCO Journal

View Dan's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 7 end of mainstream support

What are your plans for when Microsoft ends mainstream support for Windows 7 in January 2015?
9%
9%
3%
65%
14%

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

SharePoint Consultant - Middlesex - 40,000 - 55,000

SharePoint Consultant – A leading Microsoft Gold partner...

SAP FI/CO Consultant - Financials, RICEFW

SAP FI/CO Consultant - Financials, RICEFW We are looking...

Test Analyst - 30k - 40k + Benefits - High Wycombe.

Test Analyst - 30k - 40k + Benefits - High Wycombe...

Java Developer

Java Developer Surrey £50,000 Java 1.6 / Java 6...
To send to more than one email address, simply separate each address with a comma.