Securing Your Network from the SSL/TLS MITM Vulnerability [CVE-2014-0224] (AKA CCS Injection Vulnerability)
Announcement
On June 5, 2014, the OpenSSL Development Team issued an OpenSSL Security Advisory identifying seven vulnerabilities. Of these seven vulnerabilities, one is of particular importance: “SSL/TLS MITM vulnerability [CVE-2014-0224]”.
Impact
The SSL/TLS MITM vulnerability [CVE-2014-0224] does not affect your certificate private keys, meaning you do not need to re-key or re-issue your certificates; rather, it affects an individual session. An attacker can use this vulnerability to force a handshake (connection) to use weak keying material in OpenSSL SSL/TLS clients and servers. Once this handshake is made, an attacker can use a Man-in-the-middle (MITM) attack to weaken the SSL encryption to decrypt traffic (communications) between the attacked client and server. For this attack to work, both the Server and Client must be running affected versions of OpenSSL.
Affected Versions
The versions of OpenSSL that are affected are as follows:
-
For Clients: All versions of OpenSSL
Note that clients using Internet Explorer, Firefox, Safari, and Chrome (desktop and iOS) are not affected. - For Servers: versions 1.0.1 and 1.0.2-beta1
Remediation/Fix
Patches from OpenSSL are available now at https://www.openssl.org/:
- OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.
- OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
- OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za.
If using a vendor’s version of OpenSSL, look for the correct update directly from your vendor:
Conclusion
SSL-encrypted websites and servers are still secure. The vulnerabilities that were discovered are in the software itself and not in the Certificate Authorities or SSL/TLS protocols. Once the patches are applied, your systems are secured against the vulnerabilities revealed by the OpenSSL Development team today.