Summary
OpenSSL is prone to security-bypass vulnerability.
Impact
Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.
Solution
Updates are available.
Insight
OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.
Affected
OpenSSL before 0.9.8za,
1.0.0 before 1.0.0m and
1.0.1 before 1.0.1h
Detection
Send two SSL ChangeCipherSpec request and check the response.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0224 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Adobe Reader Old Plugin Signature Bypass Vulnerability (Windows)
- Apple iTunes Tutorials Window Security Bypass Vulnerability (Windows)
- Adobe Digital Edition Information Disclosure Vulnerability (Mac OS X)
- Apple Safari Webkit Multiple Vulnerabilities - March 2011
- Arora Common Name SSL Certificate Spoofing Vulnerability (Linux)