Another serious OpenSSL vulnerability patched

Patched soon after Heartbleed, a new widespread OpenSSL vulnerability could expose potential victims to man-in-the middle attacks.

As organizations around the world assess the ongoing fallout from Heartbleed, the OpenSSL Project has patched several more vulnerabilities in the open source encryption software, including one that could expose victims to man-in-the-middle attacks.

The most severe OpenSSL vulnerability of the bunch, CVE-2014-0195, is present across all client versions of OpenSSL, though only servers running versions 1.0.1 or 1.0.2-beta1 are currently affected. Attacks using the flaw can only be performed if both the client and server are vulnerable, according to the OpenSSL security advisory, but if successful, an attacker would be able to, according to the advisory, "decrypt and modify traffic from the attacked client and server."

Masashi Kikuchi, the researcher credited with reporting the vulnerability, explained in a blog post why the vulnerability had not been discovered previously.

"The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," said Kikuchi. "If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem."

The advisory urges OpenSSL users to upgrade to one of three patched versions provided, including 0.9.8za, 1.0.0m and 1.0.1h.

All told, the security advisory details seven OpenSSL vulnerabilities. The Heartbleed bug has brought increased attention to the open source encryption software, with a dozen tech giants having committed millions in funding to OpenSSL and similar projects.

Dig deeper on SSL and TLS VPN Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close