Figure. List of the latest patched OpenSSL vulnerabilities
The OpenSSL project recently released patches for several OpenSSL vulnerabilities, two of which are marked as critical. One of the critical vulnerabilities, OpenSSL CVE-2014-0224 Man in the Middle Security Bypass Vulnerability (CVE-2014-0224), could let an attacker carry out a man-in-the-middle attack, allowing them to intercept traffic between a vulnerable client and a vulnerable server. One way that attackers could exploit this flaw is by setting up a rogue Wi-Fi hotspot in a public area. If a user connects to this rogue access point, the attackers controlling the hotspot could steal their data, even though the traffic is encrypted. All versions of OpenSSL for clients, along with servers with OpenSSL versions 1.0.1 and 1.0.2-beta1, are affected by the CVE-2014-0224 vulnerability. There have been no reports of attackers exploiting these vulnerabilities in the wild.
The announcement comes just two months after the reveal of the Heartbleed vulnerability, which allowed attackers to intercept secure communications and steal sensitive information. Indeed, CVE-2014-0224 seems similar to the Heartbleed vulnerability, as it could result in the exposure of users' data. However, CVE-2014-0224 is not the same as Heartbleed, as an attacker needs to perform a man-in-the-middle attack in order to exploit the flaw, whereas with Heartbleed, an attacker only needed to send a malicious Heartbeat message to a vulnerable OpenSSL server. Also, for CVE-2014-0224, if either the client or server is not vulnerable, then the man-in-the-middle attack won’t work, according to the advisory.
The second critical vulnerability, OpenSSL CVE-2014-0195 Memory Corruption Vulnerability (CVE-2014-0195), which affects DTLS a secure network communications protocol. The flaw could allow an attacker to remotely execute code on a vulnerable client or server.
Currently, there has been no proof-of-concept released on how these critical vulnerabilities could be exploited.
As highlighted with the Heartbleed vulnerability, OpenSSL is used in a countless number of services and products, such as Web servers, email clients, mobile applications, VPN clients, operating systems, and routers. The OpenSSL project has made the patches for these vulnerabilities available, so OpenSSL users should perform an audit on their software and servers and apply the fixes as appropriate.
Symantec is currently investigating the potential impact of this vulnerability in order to allow our Intrusion Prevention Signature (IPS) product to protect customers from attacks exploiting this flaw.
Advice for consumers:
- Install manufacturer-supplied updates immediately
- Avoid using unsecured Wi-Fi
- Regularly change passwords and do not re-use passwords
Advice for enterprises:
- OpenSSL 0.9.8 users should upgrade to 0.9.8za
- OpenSSL 1.0.0 users should upgrade to 1.0.0m
- OpenSSL 1.0.1 users should upgrade to 1.0.1h