Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

OpenSSL MITM CCS vulnerability and its impact

Posted DateJune 6, 2014
Posted Time 2   min Read

Within weeks of the infamous Heartbleed vulnerability in one of the world’s most commonly used open-source software OpenSSL, more vulnerabilities have been found in OpenSSL. One of the reasons for this is that developers of OpenSSL and others are having a closer look at the OpenSSL code following the discovery of Heartbleed. Yesterday, OpenSSL came up with a security advisory detailing seven vulnerabilities and has released versions fixing these vulnerabilities. While many of them relate to the prevalence of DDoS attacks – dangerous though DDoS attacks are, they don’t make one lose one’s sensitive data – one of the vulnerabilities ( CVE-2014-024) allows a hacker to launch a MITM (man in the middle attack) and snoop on unencrypted data.  The hacker can thus look at sensitive data in the clear, beating OpenSSL’s encryption. The impact is enormous.

To summarize, unlike in the case of Heartbleed where even if either client or server uses OpenSSL, the whole connection would be vulnerable, in this case, both OpenSSL Client and Server have to be vulnerable for exploiting this vulnerability. There being the huge number of other devices using OpenSSL — routers, standalone devices, VPN clients, wifi access points (AP), etc — the vulnerability is important enough.

Briefly, vulnerability is the following. Because of a flaw in OpenSSL implementation, it is possible to launch a man-in-the-middle attack by sending a CCS ( ChangeCipheSpec) request, a single packet to both client and server that forces them to have a zero-length pre-master key. Using this master key, all data can then be easily decrypted and snooped.

All OpenSSL client versions are vulnerable. As to the OpenSSL server, only 1.0.1 and 1.0.2 are vulnerable. OpenSSL recommends however that everyone update their clients and servers. And new versions of OpenSSL have been made available Here are the details for the upgrade:

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.

OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

The best fix for the above then is to upgrade all OpenSSL clients and servers with the above versions that apply. In case you are Indusface customer protecting your website using Indusface WAF, there is a better solution. Indusface WAF has been upgraded to run a version of OpenSSL that has fixed this vulnerability. Since, for this vulnerability to be exploited, both client and server have to be vulnerable, an Indusface WAF that works like a proxy in the middle emulates a server for the client and hence you would be secure.

Of course, you would have to upgrade your OpenSSL clients too so that they are secure when accessing other OpenSSL servers that may be vulnerable.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

DDoS Attack Mitigation Playbook
DDoS Attack Mitigation Playbook for SOC and DevOps Teams

Facing DDoS threats? Arm your SOC & DevOps teams with effective mitigation strategies. Explore geo-fencing, IP blacklisting, and rate limiting in our playbook.

Spread the love

Read More
poor firewall implementation paves way for DDoS attacks
Poor Firewall Implementations Pave Wave for DDoS Attacks

What are these implementation flaws that make firewalls susceptible to DDoS attacks? What can you do to fortify their security posture?

Spread the love

Read More
Application Layer/Layer 7 DDoS Attacks
3 Effective Techniques to Mitigate Application Layer DDoS Attacks

Application Layer DDoS attacks are very hard to detect because they attack application-specific resources. Learn how to mitigate this attack.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!