Within weeks of the infamous Heartbleed vulnerability in one of world’s most commonly used open-source software OpenSSL, more vulnerabilities have been found in OpenSSL. One of the reasons for this is that developers of OpenSSL and others are having a closer look at the OpenSSL code following the discovery of Heartbleed. Yesterday, OpenSSL came up with a security advisory detailing seven vulnerabilities and has released versions fixing these vulnerabilities. While many of them relate to prevalence of DDoS attacks – dangerous though DDoS attacks are, they don’t make one lose one’s sensitive data – one of the vulnerabilities ( CVE-2014-024) allows a hacker to launch an MITM (man in the middle attack) and snoop on unencrypted data.  The hacker can thus look at sensitive data in the clear, beating OpenSSL’s encryption. The impact is enormous.

To summarize, unlike in the case of Heartbleed where even if either client or server uses OpenSSL, the whole connection would be vulnerable, in this case both OpenSSL Client and Server have to be vulnerable for exploiting this vulnerability. There being huge number of other devices using OpenSSL — routers, standalone devices, vpn clients, wifi access points (AP) etc — the vulnerability is important enough.

Briefly the vulnerability is the following. Because of a flaw in OpenSSL implementation, it is possible to launch a man-in-the-middle attack  by sending a CCS ( ChangeCipheSpec) request, a single packet to both client and server that forces them to have a zero length pre master key. Using this master key, all data can then be easily decrypted and snooped.

All OpenSSL client versions are vulnerable. As to OpenSSL server, only 1.0.1 and 1.0.2 are vulnerable. OpenSSL recommends however that everyone update their clients and servers. And new versions of OpenSSL have been made available Here are the details for the upgrade:

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.

OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

The best fix for the above then is to upgrade all OpenSSL clients and servers with the above versions that apply. In case you are Indusface customer protecting your website using Indusface WAF, there is  a better solution. IndusGuard WAF has been upgraded to run a version of OpenSSL that has fixed this vulnerability. Since, for this vulnerability to be exploited, both client and server have to be vulnerable, an Indusface WAF that works as a proxy in the middle emulates a server for the client and hence you would be secure.

Of course, you would have to upgrade your OpenSSL clients too so that they are secure when accessing other OpenSSL servers which may be vulnerable.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.