There is a new exploit in OpenSSL that can allow a man-in-the-middle (MITM) to intercept and decrypt traffic and modify traffic between the vulnerable client and server, according to an OpenSSL advisory.

The attack can only be performed between a vulnerable client and server. According to the advisory, all OpenSSL clients are vulnerable where servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. However, users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

The vulnerable piece of code, which has existed nearly unchanged since 1998, should have been found earlier, according to Masashi Kikuchi, the Japanese researcher who discovered the vulnerability.

“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem,” Kikuchi wrote on how he discovered the vulnerability.

“Fuzzing may have worked. However, as the history (see below) shows, knowledge of TLS/SSL implementation seems vital.”

The bug, which was reported on May 1, 2014, comes in the wake of the OpenSSL Heartbleed vulnerability. That exploit was considered very serious, impacting a vast number of diverse systems. Heartbleed caused a firestorm and led to widespread discussion not only in the security community but as well as the mainstream with people being encouraged to immediately change passwords.

Notes in the open source code forum indicate that this faulty code was introduced by Robin Seggelmann the same person responsible for the Heart Bleed bug.

Leave a Reply