Just two months ago OpenSSL took a huge blow announcing the Heartbleed bug, that allowed attackers to extract private keys from servers and decrypt data such as passwords, credit cards, social security numbers, amongst several other highly sensitive credentials.
Once again the OpenSSL foundation has issued a security update that will patch six new vulnerabilities, two of the patches are critical.
One of the two critical vulnerabilities (CVE-2014-0224) inside OpenSSL is “CSS Injection“, a vulnerability that resides in ChangeCipherSpec (CCS) requests sent during the handshake, the vulnerability could allow an attacker to perform a man-in-the-middle attack against the encrypted connections of a server and client.
Exploitation of the vulnerability would mean an attacker could hijack encrypted connections and decrypt them, meaning attackers could read and abuse the data. Reports of the flaw say the vulnerability is only exploitable if both the server and client are vulnerable to the issue.
Stated by the OpenSSL advisory, “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers.” All versions of OpenSSL are vulnerable on the client side. Only versions 1.0.1 and above are known to be vulnerable on the servers side. VPN providers who offer SSL connections are believed to be susceptible to the vulnerability.
The OpenSSL CSS injection vulnerability was discovered by Japanese security researcher, Masashi Kikuchi, from Lepidum security firm. According to Kikuchi, the bug has existed since the very first release of OpenSSL.
The second critical vulnerability is the DTLS invalid fragment vulnerability (CVE-2014-0195). Sending invalid DTLS fragments to an OpenSSL DTLS client or server is reported to lead to a buffer overrun attack. The bug was marked as a critical vulnerability.
The third vulnerability of the six is DTLS recursion flaw (CVE-2014-0221). This vulnerability allows a remote attacker can send an invalid Datagram Transport Layer Security (DTLS) handshake to an OpenSSL DTLS client, this will force the code to recurse eventually crashing in a Denial of Service attack. The attack is limited to applications using OpenSSL as a DTLS client.
DTLS is mainly utilized in VoIP and other sets of communications. Chrome and FireFox web browsers also support DTLS for Web Real-Time Communication (WebRTC) for peer-to-peer file sharing and VoIP calls and video chats.
Other important OpenSSL vulnerabilities uncovered were:
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198), this allows remote attackers to cause a denial of service via a NULL pointer dereference.
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298), allows remote attackers to inject data across sessions or cause a denial of service attack.
Anonymous ECDH denial of service (CVE-2014-3470), OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
Positive news regarding the vulnerabilities is that none were as severe as the Heartbleed bug. Patched versions of OpenSSL 0.9.8za, 1.0.0m and 1.0.1h are available for download. OpenSSL foundation urges its users to update their software right away.