Jump to content

New Bug Found In Widely Used Openssl Encryption

Spartan

By Spartan
in Old Discussions

 Share

Recommended Posts

Spartan PRODUCER

Spartan

Posted
Posted

Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs.

 

Now they have something else to worry about. On Thursday, the OpenSSL Foundation issued a warning to users that a decade-old bug that makes it possible for an attacker to conduct a so-called man-in-the-middle attack on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it, and read the traffic.

 

Users of OpenSSL are advised to deploy a new patch and upgrade to the latest version of OpenSSL software. The bug was initially discovered by Masashi Kikuchi, a Japanese researcher at Lepidum, a software firm. “Attackers can eavesdrop and make falsifications on your communication when both of a server and a client are vulnerable,” reads an FAQ on Lepidum‘s website.

 

Unlike Heartbleed, which could be used to directly exploit any server using OpenSSL, this new bug requires that the attacker be located between two computers communicating. A likely target, for example, would be someone using an airport’s public Wi-Fi.

 

The new bug was introduced into OpenSSL when it was first released in 1998, more than 10 years before Heartbleed, which was first introduced in a code update on New Year’s Eve in 2011.

 

The fact that the new bug went undetected for so long is another black mark on the management of OpenSSL. The encryption method is open source, meaning it can be reviewed and updated by anyone. Because of that, it is considered more secure and more trustworthy than proprietary code vetted by just one company’s engineers.

 

But, in reality, OpenSSL had only one full-time developer and three “core” volunteer programmers in Europe, and operated on a budget of $2,000 in annual donations. This, despite the fact that OpenSSL is used to encrypt the majority of the world’s web servers and widely used by technology companies such as Amazon and Cisco.

 

Following the Heartbleed discovery, major companies, including Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMWare, each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, a new open source initiative organized by the Linux Foundation to support crucial open-source infrastructure, like OpenSSL.

Chitti_Robo_Rebuilt LEGEND

Chitti_Robo_Rebuilt

Posted
Posted

one line mey plz

Spartan PRODUCER

Spartan

Posted
  • Author
Posted

one line mey plz

 

heartbleed bug kakunda...inko bug dorkindi OpenSSL lo....which hackers can use to eavesdrop on  traffic

k2s PRODUCER

k2s

Posted
Posted

what is that bug anedi cheppaledu endi man ? just bug undi.......latest version update chesuko antunnar anthey 

Spartan PRODUCER

Spartan

Posted
  • Author
Posted

what is that bug anedi cheppaledu endi man ? just bug undi.......latest version update chesuko antunnar anthey 

 

"that makes it possible for an attacker to conduct a so-called man-in-the-middle attack on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it, and read the traffic."

innovative LEGEND

innovative

Posted
Posted

interesting ... 

 

ee madhya ilanti vi ekkuva ayyay .. ebay vadu kooda past one month nunchi mails pamputhunnadu .. passcode change cheskondi security breach jarigindhi ani .. 

Spartan PRODUCER

Spartan

Posted
  • Author
Posted

interesting ... 

 

ee madhya ilanti vi ekkuva ayyay .. ebay vadu kooda past one month nunchi mails pamputhunnadu .. passcode change cheskondi security breach jarigindhi ani .. 

 

ebay servers hack ayyai..anduke change chekso mannad.... 

k2s PRODUCER

k2s

Posted
Posted

"that makes it possible for an attacker to conduct a so-called man-in-the-middle attack on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it, and read the traffic."

hacking antey e idi kada man..... what is that bug loop hole? how did it helped hackers to intrude ? 

innovative LEGEND

innovative

Posted
Posted

ebay servers hack ayyai..anduke change chekso mannad.... 

 

yes ... 

 

adhi kooda password vunde servers ani kooda mention chesadu .. usually antha clear ga detials user ki isthara about hacked stuff ? 

innovative LEGEND

innovative

Posted
Posted

hacking antey e idi kada man..... what is that bug loop hole? how did it helped hackers to intrude

 

Ask the hack3r ! :D 

Spartan PRODUCER

Spartan

Posted
  • Author
Posted

hacking antey e idi kada man..... what is that bug loop hole? how did it helped hackers to intrude ? 

 

Bug details ikakda unnai chudu...

 

http://www.openssl.org/news/secadv_20140605.txt

 

=======================================================================================================

OpenSSL Security Advisory [05 Jun 2014]
========================================

SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.

DTLS recursion flaw (CVE-2014-0221)
====================================

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
issue was reported to OpenSSL on 9th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

DTLS invalid fragment vulnerability (CVE-2014-0195)
====================================================

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Jüri Aedla for reporting this issue.  This issue was
reported to OpenSSL on 23rd April 2014 via HP ZDI.

The fix was developed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  The fix was developed by
Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===============================================================================
 
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  

Anonymous ECDH denial of service (CVE-2014-3470)
================================================

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this
issue.  This issue was reported to OpenSSL on 28th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Other issues
============

OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for
CVE-2014-0076: Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.  This issue was previously
fixed in OpenSSL 1.0.1g.


References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140605.txt

Note: the online version of the advisory may be updated with additional
details over time.
innovative LEGEND

innovative

Posted
Posted

VIPs are discussing about h@cking  :3D_Smiles:

k2s PRODUCER

k2s

Posted
Posted

 

Bug details ikakda unnai chudu...

 

http://www.openssl.org/news/secadv_20140605.txt

 

=======================================================================================================

OpenSSL Security Advisory [05 Jun 2014]
========================================

SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and 
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based
on an original patch from KIKUCHI Masashi.

DTLS recursion flaw (CVE-2014-0221)
====================================

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.  This
issue was reported to OpenSSL on 9th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

DTLS invalid fragment vulnerability (CVE-2014-0195)
====================================================

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

Thanks to Jüri Aedla for reporting this issue.  This issue was
reported to OpenSSL on 23rd April 2014 via HP ZDI.

The fix was developed by Stephen Henson of the OpenSSL core team.

SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
=================================================================

A flaw in the do_ssl3_write function can allow remote attackers to
cause a denial of service via a NULL pointer dereference.  This flaw
only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is
enabled, which is not the default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  The fix was developed by
Matt Caswell of the OpenSSL development team.

SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
===============================================================================
 
A race condition in the ssl3_read_bytes function can allow remote
attackers to inject data across sessions or cause a denial of service.
This flaw only affects multithreaded applications using OpenSSL 1.0.0
and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the
default and not common.

OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

This issue was reported in public.  

Anonymous ECDH denial of service (CVE-2014-3470)
================================================

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

OpenSSL 0.9.8 users should upgrade to 0.9.8za
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 1.0.1 users should upgrade to 1.0.1h.

Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this
issue.  This issue was reported to OpenSSL on 28th May 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Other issues
============

OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for
CVE-2014-0076: Fix for the attack described in the paper "Recovering
OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
Reported by Yuval Yarom and Naomi Benger.  This issue was previously
fixed in OpenSSL 1.0.1g.


References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140605.txt

Note: the online version of the advisory may be updated with additional
details over time.

think_ww

Spartan PRODUCER

Spartan

Posted
  • Author
Posted

yes ... 

 

adhi kooda password vunde servers ani kooda mention chesadu .. usually antha clear ga detials user ki isthara about hacked stuff ? 

 

yes...lekapote..just hack aindi..passwords change cheskondi annaru anuko..

 

evaraina freak if digs up deep into the issue and finds out personal details were leaked ani..

 

Sue cheste....mottam company muskovalsi vastad kada.....anduke most of the times they go according to the lawyers language for this kinda stuff..

vadapav LEGEND

vadapav

Posted
Posted

I completely agree...

 

My MD5 hash encrypted located in the kernel via hyperspin and deadlocks is not included in traffic routing. Traffic routing is propegated through internet MAC Hex through the ethernet interfaces encrypted through the third axle. Three axles have very little stability and can't be changed.

 

 

 Share
Go to topic listing
×
×
  • Create New...