A10: Brace for more OpenSSL bugs
Most serious is the CCS injection flaw, according to A10 Networks' Glen Ogden
In the wake of the furore caused over the Heartbleed OpenSSL vulnerability, Middle East organisations need to prepare for future OpenSSL bugs, according to Glen Ogden, regional sales director at A10 Networks.
On June 5, the OpenSSL Project published a security advisory revealing six new OpenSSL vulnerabilities. Ogden said that the most serious of these is a ChangeCipherSpec (CCS) injection flaw that affects every version of OpenSSL.
"Discovered by researcher Masashi Kikuchi at Lepidum Co., the CCS injection flaw (CVE-2014-0224) is a man-in-the-middle attack that allows malicious users to decrypt and modify traffic sent between the client and the server," he said.
"In order for the attack to be successful, both the client and the server must be vulnerable. While all versions of OpenSSL are vulnerable when acting as an SSL client, only OpenSSL versions 1.0.1 and 1.0.2-beta1 are vulnerable when deployed as an SSL server."
Ogden admitted that the CCS injection flaw is not as easy to exploit as the Heartbleed bug, but he still described it as a serious security risk. He said that, after upgrading scores of servers and devices for Heartbleed, IT admins will have to repeat their efforts to protect against CCS injection risks.
And with more researchers turning their eyes towards OpenSSL, Ogden advised that future OpenSSL bugs will eventually come their way. This will leave organisations spending an inordinate amount of time patching their servers, he said.
However, he advised that, to get around this problem, IT admins could terminate SSL traffic on their application delivery controllers.
"Offloading SSL traffic not only reduces the application server load, it also lowers operations costs because administrators do not to need to manage SSL certificates on each individual server," he said.
"And in the event of a vulnerability outbreak, administrators can avoid patching each individual server."