Heartbleed siblings plague OpenSSL
Multiple flaws discovered, including hazardous man-in-the-middle vulnerability
The team responsible for open-source data-encryption suite OpenSSL has been forced to address a further six security flaws following the patching of the infamous Heartbleed vulnerability, UK tech site The Register reported.
One bug opens the door to MITM (man-in-the-middle) attacks, which allow eavesdropping and manipulation of encrypted sessions. Another affects the Datagram Transport Layer Security protocol (DTLS) and is present in OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 (the Heartbleed version).
DTLS is a version of TLS (OpenSSL is based on TLS and SSL; more information is available here) that uses UDP (a fire-and forget protocol for sending data that is not bit-sensitive, such as streaming video) rather than TCP (a data transmission protocol that allows guaranteed delivery through constant communication between client and host).
But the MITM flaw is potentially the most hazardous and OpenSSL operators issued a warning on its dangers.
"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers," the advisory said.
"This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution."
Continues on next page>>
The MITM bug has been present throughout OpenSSL's history, according to Masashi Kikuchi, the Japanese researcher who discovered the bug.
"The good news is that attacks [using the MITM flaw] need a man-in-the-middle position against the victim, and that non-OpenSSL clients (Internet Explorer, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected," Adam Langley, a senior software engineer at Google, published on his personal blog on Thursday.
While not as easy to exploit as Heartbleed, the MITM flaw could be widely spread, as many OpenSSL runners upgraded their systems in response to Heartbleed.
"The newly disclosed man-in-the-middle vulnerability disclosed in OpenSSL affects all client applications and devices that run OpenSSL when communicating to vulnerable servers of specific versions, but includes the most recent," said Nicholas J Percoco, VP, Strategic Services, Rapid7.
"This likely contains the majority of systems on the Internet given most rushed to upgrade OpenSSL after the Heartbleed disclosure in early April of this year.
"A man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed encrypted between a client - for example, an end user - and a server - eg, an online bank. This attack is also passive in nature and may not be detected by the client, server or network-based security controls."