OpenSSL Patch Issued To Prevent Another Heartbleed

Tom Jowitt,

New flaws in OpenSSL detected and quickly patched to prevent another Heartbleed vulnerability

The ghost of the pernicious “Heartbleed” menace has made another appearance, following the discovery of fresh flaws in the OpenSSL Web encryption protocol.

The bugs could be exploited to allow hackers to spy on communications.

New Vulnerabilities

The new vulnerabilities came to light this week after the OpenSSL Project issued an update that contained seven security fixes.

Heartbleed T-ShirtExperts recommend that the update should be installed as quickly as possible. But there is also some concern because companies might need to conduct adequate testing of the update first.

“The dust has barely settled on Heartbleed, yet here we are hit with another major vulnerability,” blogged Nicholas Percoco, VP of Strategic Services at Rapid7. “The not-yet-catchily-named OpenSSL flaw allows spying on encrypted SSL/TLS communications, if the attacker can pull off a man-in-the-middle position.”

“The most discussed vulnerability is CVE-2014-0224, through which an eavesdropper can reduce the strength of the encryption through a Man-in-the-Middle (MITM) attack, putting the content of the transmitted data at risk,” said Percoco. “However, there are other vulnerabilities in the advisory that could be used for denial of service (DoS) attacks or remote code execution.”

Significant Threat

“These are significant threats, although harder to exploit than the recent Heartbleed vulnerabilities in OpenSSL,” Percoco warned.

“The newly disclosed MITM vulnerability (CVE-2014-0224) affects all OpenSSL clients and devices that communicate with vulnerable servers,” he wrote. “While all OpenSSL client versions are vulnerable, only the most recent OpenSSL server versions are affected. In order for the vulnerability to be exploited, both the client and the server must be vulnerable.”

“The second vulnerability (CVE-2014-0221) is likely only a Denial of Service (DoS) attack that would not expose encrypted data,” said Percoco. “Rapid7 rates it as a low threat generally, high for critical services.”

The “Heartbleed” bug was discovered in April, potentially exposing users of websites that adopted OpenSSL encryption for the past two years. It gave hackers the ability to steal large quantities of data without leaving a trace, however such attacks were not observed in the wild.

The crisis highlighted the fact that many open source technologies, while widely used, do not receive funding in line with their importance.

Are you a security pro? Try our quiz!