Feeds

Patch NOW: Six new bugs found in OpenSSL – including spying hole

On a scale of 1 to Heartbleed, this is a 7

The Power of One eBook: Top reasons to choose HP BladeSystem

The OpenSSL team has pushed out fixes for six security vulnerabilities in the widely used crypto library.

These holes include a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.

A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software in apps, devices and servers. DTLS is more or less TLS encryption over UDP rather than TCP, and is used to secure live streams of video, voice chat and so on.

However, an SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse, as an advisory from OpenSSL explains:

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

Users and administrators are advised to check their systems for updates; patched builds of OpenSSL are available from the major Linux distros, for instance.

Early CCS MITM logo, source: http://ccsinjection.lepidum.co.jp

Kikuchi's logo for the MITM bug

The CVE-2014-0224 MITM bug has existed since the very first release of OpenSSL, according to Masashi Kikuchi, the Japanese security researcher who unearthed the flaw.

"The good news is that attacks [exploiting CVE-2014-0224] need a man-in-the-middle position against the victim, and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected," Adam Langley, a senior software engineer at Google, published on his personal blog today.

"None the less, all OpenSSL users should be updating."

The DTLS flaw has also given security experts the fear. "The OpenSSL DTLS vulnerability dates from April, but was reported today. It may allow remote-code execution (OpenSSL DTLS is still a nightmare)," noted computer-science professor Matthew Green in a Twitter update.

"This OpenSSL vuln is an example of the kind of subtle protocol bug that LibreSSL's (admirable) fork is not likely to fix."

Thursday's OpenSSL.org advisory comes just weeks after the discovery of the infamous Heartbleed vulnerability.

Prof Green reckons none of the bugs would be easy to exploit – the direct opposite of the password-leaking Heartbleed hole.

The other four fixes in today's batch deal with denial-of-service-style vulnerabilities.

Nicholas J. Percoco, veep of strategic services at vulnerability management firm Rapid7, said a wide variety of servers and other internet-connected systems will need to be updated to guard against attackers exploiting these now-fixed bugs.

"The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent," Percoco explained.

"This likely contains the majority of systems on the internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year. A man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed encrypted between a client – for example, an end user – and a server – eg, an online bank.

"This attack is also passive in nature and will may not be detected by the client, server or network-based security controls."

Prof Green added that unearthing multiple bugs in OpenSSL was essentially a welcome development, even though it may cause some unscheduled overtime for sysadmins in the short term.

"The sudden proliferation of OpenSSL bugs is to be expected and a good thing. Like finding dirty socks during spring cleaning," he said. ®

Bootnote

Users of anonymising network Tor should definitely update as the man-in-the-middle attack affects Tor clients and relays. Readers may also recognise the name of the chap who, according to HP's ZDI team, wrote the buggy DTLS code.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.