advertisement
Facebook
X
LinkedIn
WhatsApp
Reddit

OpenSSL’s latest flaw has been around for 16 years

Remember the Heartbleed bug that sent shock waves through the internet in April? Well, a similar vulnerability has been discovered by the open-source development group for OpenSSL. The fault lies within the protocol that can compromise data integrity, or let attackers carry out man-in-the-middle attacks.

The vulnerability has been creatively named CVE-2014-0224, or the CCS Injection Vulnerability. According to a blog post on OpenSSL.org, “An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.”

But you shouldn’t worry too much about it, as security specialists have already noted that while the exploit shouldn’t just be brushed over, it isn’t as serious as the previously-discovered Heartbleed exploit was. This is because, unlike Heartbleed, CVE-2014-0224 requires both ends of the connection to be compromised.

“The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution,” OpenSSL said.

OpenSSL is an open-source implementation of the SSL and TLS cryptographic protocols, which are designed to provide secure communications over the Internet. Many websites make use of OpenSSL including Amazon, Facebook, Google and Yahoo.

The latest vulnerability has been active for at least 16 years and the discoverer, researcher Masashi Kikuchi of Lepidum Co. Ltd., said it has been discovered due to insufficient code reviews.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experience with TLS/SSL implementation. If the reviewers had enough experience, they should have verified OpenSSL code in the same way they do their own code. They could have detected the problem,” Kikuchi explained in a blog post.

[Source – OpenSSL]

advertisement

About Author

advertisement

Related News

advertisement