Sunday, June 8, 2014

RedHat Alert: OpenSSL CCS Injection Vulnerability (CVE-2014-0224) Alert

Taken from OpenSSL CCS Injection Vulnerability (CVE-2014-0224) Alert which came out yesterday.


Red Hat was recently notified of a vulnerability affecting all versions of OpenSSL shipped with Red Hat products. CVE-2014-0224 could allow for a man-in-the-middle attack against an encrypted connection.
SSL/TLS connections typically allow for encrypted traffic to pass between two parties where only the intended senders and recipients can decrypt data. In the event of a man-in-the-middle attack, an attacker could intercept an encrypted data stream allowing them to decrypt, view and then manipulate said data.
The vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that one of the two is vulnerable, there is no risk of exploitation.

NOTE: This vulnerability cannot be used to extract server or client side key material. This means that existing signed certificates do not need replacement once software is updated.


How does this impact systems

This issue affects products using OpenSSL in one of two scenarios:

OpenSSL version 1.0.1 and higher

Products Affected:
Red Hat Enterprise Linux 6.5, Red Hat Storage 2.1, Red Hat Enterprise Virtualization
All users running OpenSSL 1.0.1 and higher are impacted. It is recommended that all users of this version update to the latest release in order to remediate this vulnerability.

OpenSSL below 1.0.1

Products Affected:
Red Hat Enterprise Linux 6.4 and earlier, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 4, Red Hat JBoss Middleware
The vulnerability only affects the OpenSSL clients. Servers running OpenSSL versions below 1.0.1 are not vulnerable to this issue. Clients using OpenSSL versions below 1.0.1 connecting to servers running OpenSSL versions 1.0.1 and higher are vulnerable and should be updated.

Frequently Asked Questions

This FAQ is for the vulnerability CVE-2014-0224 in OpenSSL, also known as "CCS Injection"

Is this issue the same as HeartBleed?

No, this a new issue discovered in OpenSSL that could result in a man-in-the-middle attack. See the explanation above for full details

Is this issue worse than HeartBleed?

HeartBleed allowed anyone on the internet to exploit vulnerable servers. This issue requires an attacker to intercept and alter network traffic in real time in order to exploit the flaw. This reduces the risk that this vulnerability can be exploited but does not make it impossible, updating should be a primary remediation focus regardless of the difficulty in leveraging the exploit.

Do I need to regenerate any certificates?

No, this issue does not result in certificate or private key information leaking.

How can I tell if I'm vulnerable to this issue? Is it possible to test remotely for the presence of this issue?

All versions of OpenSSL are vulnerable to this issue. Review the relevant solution for your product:
Red Hat Enterprise Linux
Red Hat Enterprise Virtualization
Red Hat JBoss Middleware
Red Hat Storage
Red Hat Access Labs has released the CCS Injection Detector to you validate your systems have been patched against this vulnerability.

How can I verify the update is working properly?

You can use the Access Labs CCS Injection Detector to verify the update has been applied successfully.

Is there a way to mitigate this issue without an update?

There is no known mitigation for this issue. The only way to fix it is to install updated OpenSSL packages and restart affected services.

Does this issue affect other TLS libraries?

Red Hat has reviewed the NSS and GnuTLS libraries for this issue. We have determined that these libraries are not affected by this specific issue.

Do I need to update my OpenSSL package, even if I am not running version 1.0.1?

Red Hat suggests everyone updates their OpenSSL packages regardless of the version they are using. See above for further details

Is this issue being exploited in the wild?

At the time the issue was made public, we were not aware of any public exploits for this issue or that it is being exploited in the wild. We believe an exploit could be written for this issue, however exploitation requires the attacker to intercept and alter network traffic in real time.

When did Red Hat find out about this issue?

The OpenSSL team was notified about this issue on May 1, 2014, and contacted Red Hat and other OS distributions on June 2, 2014. This issue was made public on June 5, 2014.

What can an attacker actually do with this issue?

This issue could allow an attacker to conduct a man-in-the-middle attack against a vulnerable OpenSSL client communicating with a vulnerable OpenSSL server. The attacker could then potentially view or modify the secured traffic. The attacker would need a way to access network traffic between the communicating parties and alter it. This OpenSSL issue alone does not provide such level of access to network traffic.

Why do Red Hat's security advisories list multiple CVE IDs?

OpenSSL is fixing several issues with their latest update. Red Hat's updates fix the issues as relevant to our various versions of OpenSSL. This issue has been singled out as the most serious and we are providing additional information.

No comments: