Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 5 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Fresh OpenSSL flaw "will have far less impact than Heartbleed"

by The Gurus
June 6, 2014
in Editor's News
Share on FacebookShare on Twitter

Around two months after the OpenSSL flaw “Heartbleed” shook the internet’s privacy foundations, new vulnerabilities have been discovered in the protocol.
 
According to an advisory, an attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
 
While still serious, the attack can only be performed between a vulnerable client and server. The flaw was discovered by Kikuchi Masashi of Lepidum, who said in his advisory that the problem is that OpenSSL accepts ChangeCipherSpec inappropriately during a handshake, and this bug has existed since the very first release of OpenSSL.
 
He said: “OpenSSL sends ChangeCipherSpec in exact timing itself. However, it accepts ChangeCipherSpec at other timings when receiving. Attackers can exploit this behaviour so that they can decrypt and/or modify data in the communication channel.
 
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”
 
Ivan Ristic, director of Qualys SSL Labs, said that the vulnerabilities are serious, but will have far less impact than Heartbleed. “The main vulnerability (CVE-2014-0224) is a man-in-the-middle type scenario between two machines running OpenSSL that allows for the decryption of the data sent; in most of our typical communication (browser web server) we do not have two machines running OpenSSL, because the browser uses a different SSL library.
 
“So while there are certainly situations where OpenSSL talks to OpenSSL, for example in command line tools, server to server communication and also in Android browsers (Chrome and native), which use OpenSSL, the conditions necessary for exploitation are quite a bit harder to find.”
 
Steve Pate, chief architect at HyTrust, said he was not surprised that there are a number of newly reported flaws in OpenSSL. “After the Heartbleed bug was announced, one thing we could guarantee was that all eyes would be on the OpenSSL source code, scrutinizing it for issues,” he said.
 
“I personally feel encouraged that the community has risen to the challenge to ensure that OpenSSL becomes a better product and that issues are found and fixed quickly. What concerns me more is the length of time that vendors will take to apply the patches. As with Heartbleed, we can guarantee that the security conscious vendors on the web will move fast. However, how many servers and routers are still out there vulnerable to the Heartbleed bug, never mind these new vulnerabilities.”

FacebookTweetLinkedIn
Tags: FlawOpen SourceOpenSSLVulnerability
ShareTweetShare
Previous Post

June patch Tuesday will see long-standing IE bug fixed

Next Post

Cyber crime Remains Growth Industry With $445 Billion Lost

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information