News

By Chris Tribbey

Just a few months after the discovery of the Heartbleed bug — a long-undetected security hole in the open-source OpenSSL encryption technology — even more problems have been discovered with the encryption protocol, which is widely used by online businesses.

Technology vulnerability testing company Independent Security Evaluators (ISE) has pinpointed what it believes to be the most distressing SSL flaw to be uncovered of late: OpenSSL’s ChangeCipherSpec (CCS) Injection vulnerability (technically: CVE-2014-0224).

“It’s a vulnerability everyone should be keeping a close eye on,” said Stephen Bono, ISE’s founder and principal security analyst. “For media and entertainment companies the concern is about their content being shared [via] unencrypted links.”

This latest flaw allows an attacker in an active man-in-the-middle (MitM) position to “decrypt and/or modify data that is supposed to be protected by SSL/TLS. The attack requires both the client and server to be using vulnerable versions of OpenSSL,” ISE noted.

However, Bono said, this latest flaw isn’t nearly as upsetting as Heartbleed, which affected an estimated two-thirds of Web servers on the Internet, and compromised everything from passwords to credit card numbers.

The CCS Injection vulnerability doesn’t properly restrict processing of CCS messages, opening the door for MitM attackers to hijack sessions and obtain sensitive information. “They may not even realize it’s happening,” Bono said of companies unaware of the flaw.

“The implementation flaw in vulnerable versions of OpenSSL accepts a CCS message prior to setting up security parameters,” ISE warns. “Normally, an SSL/TLS library would detect that the CCS message was received out of sequence, and would break the connection. However, all versions of OpenSSL prior to CVE-2014-0224 failed to do so.”

While this latest SSL flaw is disconcerting, it’s not nearly comparable to the widespread data abuse allowed by Heartbleed: A CCS Injection vulnerability attack requires both the client and server to be using vulnerable versions of OpenSSL; and the client must be running OpenSSL versions prior to 1.0.1h, 1.0.0m, or 0.9.8za, and the server must be running OpenSSL versions 1.0.1 through 1.0.1g, or 1.0.2-beta1. Website administrators can check whether or not their servers are vulnerable to CCS Injection vulnerability here.

“The severity of this is high, but not critical. And Heartbleed was critical,” Bono stressed. “But [this isn’t] something that should be overlooked.”