On Thursday, the OpenSSL Foundation patched a decade old vulnerability that could produce a man-in-the-middle attack on DTLS traffic encrypted with OpenSSL. The open source organization also patched several other vulnerabilities in its latest release.
The most serious, known as the "CCSInjection" vulnerability, allows for a man-in-the-middle attack because OpenSSL does not properly restrict processing of ChnageCipherSpec messages. An attacker using a zero-length master key in certain vulnerable OpenSSL-to-OpenSSL communications can hijack sessions or obtain encrypted information. This serious flaw dates back to the very origin of OpenSSL, in 1998, however researcher Kikuchi Masashi of Lepidum Co. Ltd. only discovered and first disclosed the issue to OpenSSL on May 1, 2014. The official CVE designation is 2014-0224.
All versions of OpenSSL clients are vulnerable the CCSInjection vulnerability, however, only OpenSSL 1.0.1 and 1.0.2-beta1 server versions are affected. To exploit this vulnerability both client and server must be vulnerable. Further, an attacker would have to be between the vulnerable client and vulnerable server—for example, at an airport or Internet café.
Unlike Heartbleed, attackers can not directly steal encryption keys using this vulnerability, however, if regenerated keys are transferred via OpenSSL traffic those keys can be sniffed.
Mocana makes a non-open source SSL/TLS alternative known as NanoSSL that is not effected by this vulnerability. NanoSSL is purpose-built for efficiency and high performance with support for TLS 1.2 and TLS certificate management. Mocana’s KeyVPN client also does not use OpenSSL.
Additionally, several other OpenSSL flaws were reported on Thursday.
A new DTLS recursion flaw CVE-2014-0221) allows a bad actor to send an invalid DTLS handshake to an OpenSSL DTLS client so that the code can be made to recurse eventually crashing in a DoS attack.
A new buffer overrun attack CVE-2014-0195) can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server.
Another denial-of-service vulnerability (CVE-2014-0198) allows remote attackers to NULL pointer dereference to stage an attack. However, this flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled -- not the defaul state and not all that common.
A race condition flaw ((CVE-2010-5298)) in the ssl3_read_bytes function might allow remote attackers to inject data across sessions or cause a denial of service.
And finally, enabling anonymous ECDH ciphersuites in OpenSSL may lead to a denial of service attack (CVE-2014-3470).
All of these vulnerabilities have been patched by OpenSSL according to their official news site.