June 5, less than two months after the disclosure of the Heartbleed bug, the OpenSSL Project published a security advisory revealing six new OpenSSL vulnerabilities. The most serious of these vulnerabilities is a ChangeCipherSpec (CCS) injection flaw that affects every version of OpenSSL.
Discovered by researcher Masashi Kikuchi at Lepidum Co. Ltd., the CCS injection flaw (CVE-2014-0224) is a Man-in-the-Middle attack that allows malicious users to decrypt and modify traffic sent between the client and the server. In order for the attack to be successful, both the client and the server must be vulnerable. While all versions of OpenSSL are vulnerable when acting as an SSL client, only OpenSSL versions 1.0.1 and 1.0.2-beta1 are vulnerable when deployed as an SSL server.
Implications of CCS Injection
While not as easy to exploit as the Heartbleed bug, the CCS injection flaw imposes a serious security risk. As a result, IT and security administrators, fresh off of upgrading scores of servers and devices for Heartbleed, will need to repeat their efforts to mitigate CCS injection risks.
Although not related to Heartbleed, the heightened attention that Heartbleed brought to the OpenSSL Project no doubt led to greater scrutiny of OpenSSL and contributed to the host of new vulnerabilities disclosed on June 5th. In fact, Masashi Kikuchi reported, “When Heartbleed arose, everyone talked about how to prevent similar bugs… [I tried to] show the correctness of the implementation at a glance.”
Therefore, the recent OpenSSL security advisory should not surprise most networking and security professionals, and organizations should prepare for future OpenSSL bugs as more researchers turn their sights on OpenSSL.
Take the Risk out of Encryption Management
With the CCS injection flaw following close on the heels of April’s Heartbleed disclosure; organizations have had to invest an inordinate amount of time patching their servers. Because these servers may host different operating systems with different SSL libraries, IT and networking administrators must spend time testing, patching, and retesting their applications.
One way organizations in the Middle East can safeguard their vulnerable applications–and greatly reduce the time associated to fire drills in the future–is to terminate SSL traffic on their application delivery controllers (ADCs). Offloading SSL traffic not only reduces the application server load, it also lowers operations costs because administrators do not to need to manage SSL certificates on each individual server. And in the event of a vulnerability outbreak, administrators can avoid patching each individual server.