Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • OpenSSL Vulnerable To Man-In-The-Middle Attack and Several Other Bugs - The Hacker News

    Încărcat de

    Adnan Hashmi
    74 vizualizări3 pagini
    OpenSSL Foundation has issued software updates to patch six new vulnerabilities. Two of them are critical. An attacker could perform a MAN-IN-THE-MIDDLE ATTACK against the encrypted connection servers and clients. Only 1.0. And above are currently known to be vulnerable on the server side.

    Descriere originală:

    Titlu original

    OpenSSL Vulnerable to Man-In-The-Middle Attack and Several Other Bugs - The Hacker News

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    OpenSSL Foundation has issued software updates to patch six new vulnerabilities. Two of them are critical. An attacker could perform a MAN-IN-THE-MIDDLE ATTACK against the encrypted connection servers and clients. Only 1.0. And above are currently known to be vulnerable on the server side.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    74 vizualizări3 pagini

    OpenSSL Vulnerable To Man-In-The-Middle Attack and Several Other Bugs - The Hacker News

    Încărcat de

    Adnan Hashmi
    OpenSSL Foundation has issued software updates to patch six new vulnerabilities. Two of them are critical. An attacker could perform a MAN-IN-THE-MIDDLE ATTACK against the encrypted connection servers and clients. Only 1.0. And above are currently known to be vulnerable on the server side.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 3

    6/9/2014 OpenSSL Vulnerable to Man-in-the-Middle Attack and Several Other Bugs - The Hacker News

    http://thehackernews.com/2014/06/openssl-vulnerable-to-man-in-middle.html 1/3
    e.g. Hacking Facebook
    OpenSSL Vulnerable to Man-in-the-Middle Attack and
    Several Other Bugs
    Thursday, June 05, 2014 Mohit Kumar

    Remember OpenSSL Heartbleed vulnerability? Several weeks ago, the exposure of this security bug chilled the
    Internet, revealed that millions of websites were vulnerable to a flaw in the OpenSSL code which they used to encrypt their
    communications.
    Now once again the OpenSSL Foundation has issued software updates to patch six new vulnerabilities, and two of them
    are critical.
    MAN-IN-THE-MIDDLE ATTACK (CVE-2014-0224)
    First critical vulnerability (CVE-2014-0224) in OpenSSL is "CCS Injection" - resides in ChangeCipherSpec (CCS)
    request sent during the handshake that could allow an attacker to perform a man-in-the-middle attack against the
    encrypted connection servers and clients.
    By exploiting this vulnerability an attacker could intercept an encrypted connection which allows him to decrypt, read or
    manipulate the data. But the reported flaw is exploitable only if both server and client are vulnerable to this issue.
    According to the OpenSSL advisory, "An attacker using a carefully crafted handshake can force the use of weak
    keying material in OpenSSL SSL/TLS clients and servers." All versions of OpenSSL are vulnerable on the client side.
    Only 1.0.1 and above are currently known to be vulnerable on the server side. SSL VPN (virtual private network)
    products are believed to be especially vulnerable to this flaw.
    Popul ar Stories
    Linux Kernel Vulnerable to
    Privilege Escalation and DoS
    Attack
    OpenSSL Vulnerable to Man-in-
    the-Middle Attack and Several
    Other Bugs
    Google offers Chrome Extension
    for End-To-End Gmail Encryption
    Cryptowall Ransomware
    Spreading Rapidly through
    Malicious Advertisements
    iOS 8 Safari Browser Can Read
    Your Credit Card Details Using
    Device Camera
    Join 'Reset The Net' Global
    Movement to Shut Off NSA
    Surveillance
    New Ransomware Malware takes
    +1,211,785 140,100 268,300

    1.2M Follow 273k Like
    Stop DNS Attacks for ISPs
    nominum.com/stop-amplification
    DNS Amplification Attacks Demand New Prevention Tools For Protection

    201 1k Like 1336 572 4 Reddit 11 2214
    Hacking News Malwares Cyber Attack Vulnerabilities Hacking Groups Spying
    6/9/2014 OpenSSL Vulnerable to Man-in-the-Middle Attack and Several Other Bugs - The Hacker News
    http://thehackernews.com/2014/06/openssl-vulnerable-to-man-in-middle.html 2/3
    Join Our Security Newsletter
    OpenSSL CCS Injection vulnerability is discovered by a Japanese security researcher, Masashi Kikuchi from Lepidum
    security firm. According to him this bug was existed since the very first release of OpenSSL. RedHat also posted a detailed
    explanation about this bug on their security blog.
    DTLS invalid fragment vulnerability (CVE-2014-0195): Sending invalid DTLS fragments to a OpenSSL DTLS client
    or server can lead to a buffer overrun attack. A potential hacker could exploit this flaw to run arbitrary code on a
    vulnerable client or server. This vulnerability also marked as critical bug.
    DTLS recursion flaw (CVE-2014-0221): A remote attacker can send an invalid DTLS (Datagram Transport Layer
    Security) handshake to an OpenSSL DTLS client, which will force the code to recurse eventually crashing in a DoS attack.
    This attack is limited to the applications using OpenSSL as a DTLS client.
    DTLS mainly used in VOIP and other communication related applications like Cisco Systems AnyConnect VPN Client.
    Chrome and Firefox web browser also support DTLS for WebRTC (Web Real-Time Communication) for P2P file
    sharing and Voice/Video Chats.
    Other important OpenSSL vulnerabilities are:
    SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198), allows remote attackers
    to cause a denial of service via a NULL pointer dereference.
    SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298), allows remote
    attackers to inject data across sessions or cause a denial of service.
    Anonymous ECDH denial of service (CVE-2014-3470), OpenSSL TLS clients enabling anonymous ECDH
    (Elliptic Curve Diffie Hellman) ciphersuites are subject to a denial of service attack.
    But the good news is that these vulnerabilities are not as critical as Heartbleed bug. The patched versions 0.9.8za, 1.0.0m
    and 1.0.1h are available on the project website to download and The OpenSSL Foundation is urging companies to update
    their implementation as soon as possible.
    Follow 'Mohit Kumar' on Google+, Twitter or Facebook or Contact via Email.
    CVE-2014-0224, Hacking News, Heartbleed Bug, Man-In-The-Middle, OpenSSL, Vulnerability
    Email address Sign Up!
    Latest Stories
    iOS 8 Safari Browser Can Read Your Credit Card Details Using Device Camera
    Linux Kernel Vulnerable to Privilege Escalation and DoS Attack
    Cryptowall Ransomware Spreading Rapidly through Malicious
    Advertisements
    Vodafone Reveals Some Governments Have Direct
    Access to Their Data Centers
    Microsoft to Patch Critical Internet
    Explorer Zero-Day Vulnerability Next
    Tuesday
    OpenSSL Vulnerable to
    Man-in-the-Middle
    Attack and Several
    Other Bugs
    Comments
    Advantage of Windows
    PowerShell
    Apple's New Swift Programming
    Language for iOS And OS X
    Apps. Goodbye Objective-C
    First Android Ransomware that
    Encrypts SD Card Files
    Vodafone Reveals Some
    Governments Have Direct
    Access to Their Data Centers
    Recommended Stories
    273k Like
    WordPress Cookie Flaw Lets Hackers Hijack
    Your Account
    730 people recommend this.
    Latest Kali Linux 1.0.7 Offers Persistent
    Encrypted Partition on USB Stick
    12 people recommend this.
    Hacking Cable TV Networks to Broadcast
    Your Own Video Channel
    1,587 people recommend this.
    ProtonMail: 'NSA-Proof' End-to-End Encrypted
    Email Service
    755 people recommend this.
    Developers Raise Bounty of $17,600 for First
    to Root Samsung Galaxy S5
    522 people recommend this.
    Mozilla to Provide WebRTC-based Free
    Firefox To Firefox Voice and Video Calling
    feature
    678 people recommend this.
    iOS 8 Safari Browser Can Read Your Credit
    Card Details Using Device Camera
    478 people recommend this.
    Facebook social plugin
    6/9/2014 OpenSSL Vulnerable to Man-in-the-Middle Attack and Several Other Bugs - The Hacker News
    http://thehackernews.com/2014/06/openssl-vulnerable-to-man-in-middle.html 3/3
    Join us
    The Hacker News
    + 1,215,114
    Follow +1
    Join Our Security Newsletter!
    Enter Email address...
    Submit
    Mobile Hacking Facebook Malwares Privacy Surveillance
    DDoS Attack Android Hacking Ransomware Credit Card Zero Day
    iOS Hacking Encryption Antivirus Bitcoin NSA
    Vulnerability Bug Bounty Espionage Anonymous Cyber Attack
    Categories
    About | THN Magazine | The Hackers Conference | LinkedIn | Advertise on THN | Our Authors | Submit News | Privacy Policy | Contact

    S-ar putea să vă placă și