TZCERT-2014-03: Vulnerability Alert
OpenSSL Vulnerability by Man in The Middle (MITM) attack
Date of First Release: 09-06-2014
Source: US-CERT, OpenSSL
OS Affected: Fedora Project, FreeBSD Project, Debian GNU/Linux, OpenSSL, Red Hat, Inc., Ubuntu.
Overview: A carefully crafted handshake can be used by an attackers to force the use of weak keying material in OpenSSL SSL/TLS clients and servers.
Description: The OpenSSL Project has released updates for OpenSSL 0.9.8, 1.0.0 and 1.0.1 to fix vulnerabilities that could allow an attacker use weak keying material in OpenSSL SSL/TLS clients and servers.
Impact: The vulnerability when exploited by “Man In The Middle” (MITM) attack, could allow an attacker to decrypt and modify the traffic from the attacked client and server.
Solution: Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
References:
https://www.openssl.org/news/secadv_20140605.txt
http://www.kb.cert.org/vuls/id/978508