Article

OpenSSL vulnerable to man-in-the-middle attacks

Bill Brenner

The latest versions of OpenSSL fix a security hole malicious users could exploit to evade security restrictions and launch man-in-the-middle

    Requires Free Membership to View

attacks, according to the Open SSL Project and other security organizations.

More on the Secure Sockets Layer

SSL: A quick primer

Are SSL VPNs more security than the IPSec variety? Users weigh in.

The problem is an error in how the SSL_OP_MSIE_SSLV2_RSA_PADDING option is handled and potentially affects applications using the SSL/TLS server implementation provided by OpenSSL.

"This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third-party software that might prevent interoperability," the OpenSSL Project said in an advisory. The option also "disables a verification step in the SSL 2.0 server [that's] supposed to prevent active protocol-version rollback attacks."

With this verification step disabled, an attacker acting as a man in the middle can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support the more secure SSL 3.0 or TLS 1.0 protocols, the advisory said, adding, "The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only."

The Open Source Project said the vulnerability was found in all previously released versions of OpenSSL, specifically all versions before 0.9.7h and 0.9.8a. The project has released versions 0.9.7h and 0.9.8a to address the problem.

Danish security firm Secunia noted in an advisory that successful exploitation requires that SSL 2.0 is enabled, and either the SSL_OP_MSIE_SSLV2_RSA_PADDING or the SSL_OP_ALL option is used.

The OpenSSL Project describes itself on its Web site as a "collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a full-strength general purpose cryptography library."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: