A newly discovered vulnerability that allows spying on encrypted SSL/TLS communications has been identified and fixed in the widely used OpenSSL library.
The vulnerability, which is being tracked as CVE-2014-0224, can be exploited to decrypt and modify SSL (Secure Sockets Layer) and TLS (Transport Layer Security) traffic between clients and servers that use OpenSSL, if the version of the library on the server is 1.0.1 or newer.
[ Build and deploy an effective line of defense against corporate intruders with InfoWorld's Encryption Deep Dive PDF expert guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
In order to pull off a successful attack, the attacker would first need to be able to intercept connections between a targeted client and a server. This is known as a MitM (man-in-the-middle) position and can be gained on insecure wireless networks, by hacking into routers or by using other methods.
The security flaw was discovered by Masashi Kikuchi, a researcher from Japanese IT consulting company Lepidum, and was patched in OpenSSL 0.9.8za, 1.0.0m and 1.0.1h released Thursday. These new versions also address three denial-of-service issues and a remote code execution vulnerability when the library is used for DTLS (Datagram Transport Layer Security) connections.
The man-in-the-middle attack is possible because OpenSSL accepts CCS (ChangeCipherSpec) messages inappropriately during a TLS handshake, Kikuchi said in a blog post. These messages, which mark the change from unencrypted to encrypted traffic, must be sent at specific times during the TLS handshake, but OpenSSL accepts CCS messages at other times as well, Kikuchi said.
The problematic code has existed since at least OpenSSL 0.9.1c, which was released in December 1998, so the bug is over 15 years old, Adam Langley, a senior software engineer at Google, said in an analysis of the issue posted on his personal blog.
According to a security advisory published Thursday by the OpenSSL developers, OpenSSL-based clients are vulnerable regardless of the version used, but servers are only vulnerable if they run OpenSSL 1.0.1x and 1.0.2-beta1.
A change made in OpenSSL 1.0.1 to correct a different issue interacts badly with the CCS bug and enables attacks against servers using that version of the library, Langley said. If the server uses OpenSSL 1.0.1 or later "it's possible for the attacker to decrypt and/or hijack the connection completely," he said.
OpenSSL 1.0.1 was released in March 2012 and according to Ivan Ristic, who runs the SSL Labs at security vendor Qualys, around 24 percent of SSL servers currently use this version.
"The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc.) aren't affected," Langley said. "None the less, all OpenSSL users should be updating."
However, even if the major browsers are not vulnerable because they have their own SSL/TLS implementations, a lot of other software does rely OpenSSL, including mobile applications.