OpenSSL SSL/tls mitm Vulnerability (CVE-2014-0224)

OpenSSL SSL/tls mitm Vulnerability (CVE-2014-0224)

Release date:
Updated on: 2014-06-06

Affected Systems:
OpenSSL Project OpenSSL <1.0.0m
OpenSSL Project OpenSSL <1.0.0h
OpenSSL Project OpenSSL <0.9.8za
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67899
CVE (CAN) ID: CVE-2014-0224
 
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
 
OpenSSL versions earlier than 0.9.8za, 1.0.0m, and 1.0.1h do not properly process ChangeCipherSpec messages, which allows man-in-the-middle attackers to use a zero-length master key in some OpenSSL-to-OpenSSL communications, then, a special TLS handshake is used to hijack the session and obtain sensitive information.

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
 
<* Source: KIKUCHI Masashi

Link: http://secunia.com/advisories/58403/
Http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
Http://www.openssl.org/news/secadv_20140605.txt
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20140605) and corresponding patches:
Secadv_20140605: SSL/tls mitm vulnerability (CVE-2014-0224)
Link: http://www.openssl.org/news/secadv_20140605.txt

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: