OpenSSL vulnerable to MitM attacks

A new OpenSSL vulnerability endangers the confidentiality and integrity of encrypted communications. The exploitation of the vulnerability requires, however, that the attacker has access to the telecommunications between the customer and server.

Several vulnerabilities have been detected in the OpenSSL library which is used for encrypting network connections. The most severe vulnerability can be used for implementing a Man-in-the-Middle (MitM) attack. The vulnerability is based on the manipulation of the data changed when the connection is made. In order to exploit the vulnerability, the attacker must have access to the network connection between the user and server. This may occur for example when a Wireless Local Area Network (WLAN) is used. If the attack is successful, the user does not notice that the connection is uncrypted. By exploiting the vulnerability, the attacker is able to listen in on and manipulate the telecommunications.

The vulnerability is patched when OpenSSL is upgraded to its latest version in server and customer applications. The vulnerability can be exploited only when both the server and the customer are vulnerable. Users can protect themselves against the vulnerability by upgrading vulnerable applications as upgrades become available.

A vulnerability named Heartbleed was detected in the OpenSSL library in early April. This vulnerability enabled that the attacker could obtain data from servers via any network connection. The exploitation of the discovered vulnerability is significantly more difficult than the exploitation of Heartbleed because it requires that the attacker has access to the network connection at the same time as the user form an encrypted connection.

Further information

NCSC-FI Advisory 75/2014

Information security now! - Prevention of a Man-in-the-Middle attack

Update history

Key words: Information security, Information security now!

LinkedIn Print