Another bugs in the OpenSSL found and patched this thursday, these bugs allowed an attacker to spying on Encrypted SSL/TLS communications.
This Vulnerability tracked as CVE-2014-0224, which can use be used to decrypt and modify SSL (Secure- Sockets Layer) and TLS (Transport Layer Security) traffic between clients and servers that use OpenSSL, if the version of the library on the server is 1.0.1 or newer.
For a successful attack, attacker needs to intercept the connections between a targeted client and the server, which is a Man-in-the-Middle-Attack position and attackers reach over there through cracking your routers security or by using other methods.
One of the researcher named ‘Masashi Kikuchi’ from Japanese IT Consulting company Lepdium discovered this vulnerability and now patched in OpenSSL 0.9.8za, 1.0.0m and 1.0.1h released Thursday. These new versions also address three denial-of-service issues and a remote code execution vulnerability when the library is used for Datagram Transport Layer Security (DTLS) connections.
The man-in-the-middle attack is possible because OpenSSL accepts ChangeCipherSpec (CCS) messages inappropriately during a TLS handshake, Kikuchi said in a blog post. These messages, which mark the change from unencrypted to encrypted traffic, must be sent at specific times during the TLS handshake, but OpenSSL accepts CCS messages at other times as well, Kikuchi said.
Are you affected?
While all servers using OpenSSL are at risk until they’ve been upgraded, the bug only affects clients that use the OpenSSL protocol. Thus most major browsers (Chrome, Firefox, Internet Explorer, Safari) aren’t at risk, though browsers that do use OpenSSL, like Chrome on Android, may be affected.
Are you running OpenSSL?
If you are running OpenSSl-based server, then you should apply the OpenSSL Group’s recommended updates.
SOURCE: PC World
