OpenSSL CCS Man In The Middle Security Bypass Vulnerability Network Vulnerability

Summary

OpenSSL is prone to security-bypass vulnerability.

Impact

Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.

Solution

Updates are available.

Insight

OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.

Affected

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m and 1.0.1 before 1.0.1h

Detection

Send two SSL ChangeCipherSpec request and check the response.

References

http://openssl.org/
http://www.securityfocus.com/bid/67899

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-0224

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Adobe Reader Information Disclosure Vulnerability Jun05 (Windows)
Apple Safari 'Webkit' Information Disclosure Vulnerability (Win)
Adobe LiveCycle Designer Untrusted Search Path Vulnerability (Windows)
Apple QuickTime Multiple Arbitrary Code Execution Vulnerabilities (Win)
Apple Mac OS X Multiple Vulnerabilities - 02 Jan14

OpenSSL CCS Man in the Middle Security Bypass Vulnerability

Take action and discover your vulnerabilities