OpenSSL man-in-the-middle Security Restriction Bypass Vulnerability

OpenSSL man-in-the-middle Security Restriction Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
OpenSSL Project OpenSSL <0.9.8zd
OpenSSL Project OpenSSL 1.0.1-1.0.1k
OpenSSL Project OpenSSL 1.0.0-1.0.0p
Description:
Bugtraq id: 71936
CVE (CAN) ID: CVE-2015-0204

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.

In OpenSSL 0.9.8zd and 1.0.0-1.0.0p and 1.0.1-1.0.1k versions, the ssl3_get_key_exchange function of s3_clnt.c has a security vulnerability. The remote SSL server provides weak temporary RSA keys in non-compliant roles, this vulnerability can be exploited to perform a RSA-to-EXPORT_RSA Downgrade Attack for brute force decryption.

<* Source: Karthikeyan Bhargavan
*>

Suggestion:
Vendor patch:

OpenSSL Project
---------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://www.openssl.org/news/secadv_20150108.txt

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to sign multi-domain certificates

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: