Heartbleed siblings plague OpenSSL

Multiple flaws discovered, including hazardous man-in-the-middle vulnerability

Tags: Google IncorporatedRapid 7 (www.rapid7.com)
  • E-Mail
Heartbleed siblings plague OpenSSL OpenSSL continues to be burdened with vulnerabilities even though Heartbleed was patched in the latest version.
By  Stephen McBride Published  June 8, 2014

The team responsible for open-source data-encryption suite OpenSSL has been forced to address a further six security flaws following the patching of the infamous Heartbleed vulnerability, UK tech site The Register reported.

One bug opens the door to MITM (man-in-the-middle) attacks, which allow eavesdropping and manipulation of encrypted sessions. Another affects the Datagram Transport Layer Security protocol (DTLS) and is present in OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 (the Heartbleed version).

DTLS is a version of TLS (OpenSSL is based on TLS and SSL; more information is available here) that uses UDP (a fire-and forget protocol for sending data that is not bit-sensitive, such as streaming video) rather than TCP (a data transmission protocol that allows guaranteed delivery through constant communication between client and host).

But the MITM flaw is potentially the most hazardous and OpenSSL operators issued a warning on its dangers.

"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers," the advisory said.

"This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution."

Continues on next page>>

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code