OpenSSL vulnerable to man-in-the-middle attacks

Exploits of this flaw could force a client and server to negotiate the less secure SSL 2.0, even if both parties support the more secure SSL 3.0 or TLS 1.0 protocols.

The latest versions of OpenSSL fix a security hole malicious users could exploit to evade security restrictions and launch man-in-the-middle attacks, according to the Open SSL Project and other security organizations.

More on the Secure Sockets Layer

SSL: A quick primer

Are SSL VPNs more security than the IPSec variety? Users weigh in.

The problem is an error in how the SSL_OP_MSIE_SSLV2_RSA_PADDING option is handled and potentially affects applications using the SSL/TLS server implementation provided by OpenSSL.

"This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third-party software that might prevent interoperability," the OpenSSL Project said in an advisory. The option also "disables a verification step in the SSL 2.0 server [that's] supposed to prevent active protocol-version rollback attacks."

With this verification step disabled, an attacker acting as a man in the middle can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support the more secure SSL 3.0 or TLS 1.0 protocols, the advisory said, adding, "The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only."

The Open Source Project said the vulnerability was found in all previously released versions of OpenSSL, specifically all versions before 0.9.7h and 0.9.8a. The project has released versions 0.9.7h and 0.9.8a to address the problem.

Danish security firm Secunia noted in an advisory that successful exploitation requires that SSL 2.0 is enabled, and either the SSL_OP_MSIE_SSLV2_RSA_PADDING or the SSL_OP_ALL option is used.

The OpenSSL Project describes itself on its Web site as a "collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a full-strength general purpose cryptography library."

Dig deeper on SSL and TLS VPN Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close