The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]
All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs... not so much HTTPS).
I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .
CVE-2010-5298 does allow third parties to inject data into existing SSL connections. This could be a big deal, but according to the OpenSSL advisory, the SSL_MODE_RELEASE_BUFFERS feature is usually not enabled.
Make sure you update to one of these OpenSSL versions:
OpenSSL 0.9.8za (openssl ran out of letters, so instead of calling this one 'z' they call it 'za' to allow for future releases. However, this *may* be the last 0.9.8 release).
OpenSSL 1.0.0m
OpenSSL 1.0.1h
| CVE | Name | Impact | Vulnerable Versions | Client | Server |
| CVE-2014-0224 | SSL/TLS MITM Vulnerability | MiTM | Server: 1.0.1, Client: 0.9.8,1.0.0,1.0.1 (both have to be vulnerable) | Critical | Important |
| CVE-2014-0221 | DTLS recursion flaw | DoS | 0.9.8,1.0.0,1.0.1 | Important | Not Affected |
| CVE-2014-0195 | DTLS invalid fragment vulnerability | Code Exec. | 0.9.8,1.0.0,1.0.1 | Critical | Critical |
| CVE-2014-0198 | SSL_MODE_RELEASE_BUFFERS NULL pointer dereference | DoS | 1.0.0,1.0.1 (neither affected in default config) | Important | Important |
| CVE-2010-5298 | SSL_MODE_RELEASE_BUFFERS session injection | DoS or Data Injection | 1.0.0, 1.0.1 (in multithreaded applications, not in default config) | Important | Important |
| CVE-2014-3470 | Anonymous ECDH Denial of Service | DoS | 0.9.8, 1.0.0, 1.0.1 | Important | Not Affected |
Vendor Information:
| Redhat | https://rhn.redhat.com/errata/RHSA-2014-0625.html https://rhn.redhat.com/errata/RHSA-2014-0626.html |
| Ubuntu | http://www.ubuntu.com/usn/usn-2232-1/ |
| FreeBSD | http://www.freebsd.org/security/advisories/FreeBSD-SA-14:14.openssl.asc |
[1] https://www.openssl.org/news/secadv_20140605.txt
---
'취약점 정보1' 카테고리의 다른 글
| Adobe Flash Player 업데이트 권고 (0) | 2014.06.11 |
|---|---|
| SSL/TLS MITM vulnerability (CVE-2014-0224) (0) | 2014.06.06 |
| TR-24 Analysis - Destory RAT family (0) | 2014.06.04 |
| Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC (0) | 2014.06.04 |
| 2014-06-04 취약점 정리 (0) | 2014.06.04 |