+233-2990093-27/29

OpenSSL Vulnerability by Man in The Middle (MITM) attack

21st July 2014

OpenSSL Vulnerability by Man in The Middle (MITM) attack

Date of First Release: 09-06-2014

Source: US-CERT, OpenSSL

OS Affected: Fedora Project, FreeBSD Project, Debian GNU/Linux, OpenSSL, Red Hat, Inc., Ubuntu.

Overview: A carefully crafted handshake can be used by an attackers to force the use of weak keying material in OpenSSL SSL/TLS clients and servers.

Description: The OpenSSL Project has released updates for OpenSSL 0.9.8, 1.0.0 and 1.0.1 to fix vulnerabilities that could allow an attacker use weak keying material in OpenSSL SSL/TLS clients and servers.

Impact: The vulnerability when exploited by “Man In The Middle” (MITM) attack, could allow an attacker to decrypt and modify the traffic from the attacked client and server.

Solution: Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

References:

https://www.openssl.org/news/secadv_20140605.txt

http://www.kb.cert.org/vuls/id/978508

Leave a Reply

Name (Required)

Email (Required - will not be published)

Website

Message (Required)