Within weeks of the infamous Heartbleed vulnerability in one of world’s most commonly used open-source software OpenSSL, more vulnerabilities have been found in OpenSSL. One of the reasons for this is that developers of OpenSSL and others are having a closer look at the OpenSSL code following the discovery of Heartbleed. Yesterday, OpenSSL came up with a security advisory detailing seven vulnerabilities and has released versions fixing these vulnerabilities. While many of them relate to prevalence of DDoS attacks – dangerous though DDoS attacks are, they don’t make one lose one’s sensitive data – one of the vulnerabilities ( CVE-2014-024) allows a hacker to launch an MITM (man in the middle attack) and snoop on unencrypted data.  The hacker can thus look at sensitive data in the clear, beating OpenSSL’s encryption. The impact is enormous.

To summarize, unlike in the case of Heartbleed where even if either client or server uses OpenSSL, the whole connection would be vulnerable, in this case both OpenSSL Client and Server have to be vulnerable for exploiting this vulnerability. There being huge number of other devices using OpenSSL — routers, standalone devices, vpn clients, wifi access points (AP) etc — the vulnerability is important enough.

Briefly the vulnerability is the following. Because of a flaw in OpenSSL implementation, it is possible to launch a man-in-the-middle attack  by sending a CCS ( ChangeCipheSpec) request, a single packet to both client and server that forces them to have a zero length pre master key. Using this master key, all data can then be easily decrypted and snooped.

All OpenSSL client versions are vulnerable. As to OpenSSL server, only 1.0.1 and 1.0.2 are vulnerable. OpenSSL recommends however that everyone update their clients and servers. And new versions of OpenSSL have been made available Here are the details for the upgrade:

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.

OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

The best fix for the above then is to upgrade all OpenSSL clients and servers with the above versions that apply. In case you are Indusface customer protecting your website using Indusface WAF, there is  a better solution. IndusGuard WAF has been upgraded to run a version of OpenSSL that has fixed this vulnerability. Since, for this vulnerability to be exploited, both client and server have to be vulnerable, an Indusface WAF that works as a proxy in the middle emulates a server for the client and hence you would be secure.

Of course, you would have to upgrade your OpenSSL clients too so that they are secure when accessing other OpenSSL servers which may be vulnerable.

Instant Website Protection
Free Forever Security Scans | OWASP Top 10 Protection | Whole Site Acceleration | Stop DDoS | Continuous Management