More bugs have been found in OpenSSL, the same security technology that was affected by the Heartbleed bug. The OpenSSL Foundation published an advisory on June 5 on several bugs, including a classic “man-in-the-middle” (MITM) attack in which a third party can eavesdrop on or modify data traffic between two points.
Called a “7” on a scale of “1 to Heartbleed” by The Register, the attack can only be performed between a vulnerable client and server, stressed the OpenSSL Foundation. “OpenSSL clients are vulnerable in all versions of OpenSSL,” stated the OpenSSL Foundation in the advisory. “Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”
The MITM bug was discovered by Masashi Kukichi of Lepidum, which highlights it as a CCS injection vulnerability and an OpenSSL implementation problem. “This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. There are risks of tampering with and exploits on contents and authentication information over encrypted communication via web browsing, e-mail and VPNs when the software uses the affected version of OpenSSL,” reads a statement on the Lepidum website.
While the OpenSSL Foundation has said that the attack can only occur when both client and server are vulnerable, Lepidum says that attackers can hijack an authenticated session if the server is vulnerable even if the client is not vulnerable.
The news, picked up by Wired and others, shakes industry confidence on using open source code like OpenSSL for enterprise computing. OpenSSL is an open source version of Transport Layer Security (TLS) and Secure Sockets Layer (SSL),which is technology for secure communications over the Internet. It was thought to be extremely secure and is used for many websites and virtual private networks.