Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

[eWeek] OpenSSL Finds and Fixes 7 New Security Flaws

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
User avatar

Topic Author
parityboy
Site Admin
Posts: 1281
Joined: Wed Feb 05, 2014 3:47 am

[eWeek] OpenSSL Finds and Fixes 7 New Security Flaws

Postby parityboy » Fri Jun 06, 2014 5:30 pm

The Internet Storm Center (ISC SANS) ranks two of the newly patched flaws as critical. One, identified as CVE-2014-0224, is an SSL man-in-the-middle (MITM) vulnerability that could have a widespread, critical impact. In an MITM attack, the attacker is able to intercept encrypted messages sent between secured endpoints and decrypt the message.

"An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS [Secure Sockets Layer/Transfer Layer Security] clients and servers," OpenSSL warns in its advisory. "This can be exploited by a man-in-the-middle attack where the attacker can decrypt and modify traffic from the attacked client and server."

The OpenSSL Project cautions that all client versions of OpenSSL are vulnerable to CVE-2014-0224. The OpenSSL advisory notes that CVE-2014-0224 was reported to the OpenSSL Project May 1.

The other OpenSSL update rated as critical is for the flaw identified as CVE-2014-0195 and is a Datagram Transport Layer Security (DTLS) invalid fragment vulnerability that was reported to the project on April 23.

"A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server," the OpenSSL advisory warns. "This is potentially exploitable to run arbitrary code on a vulnerable client or server."

DTLS is also at the core of the CVE-2014-0221 flaw, which is a DTLS recursion flaw that ISC SANS has rated critical.

"By sending an invalid DTLS handshake to an OpenSSL DTLS client, the code can be made to recurse, eventually crashing in a DoS attack," the OpenSSL advisory states.


Source

Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 8 guests

cron

Login