CVE-2014-0224: CCS Injection Vulnerability

CVE ID

CVE-2014-0224

DESCRIPTION

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Unitrends Summary

  • The login credentials are not exposed to this method
  • This issue has existed for 15+ years, since at least 1998. This CVE was released on 06/05/2014.
  • Man-in-the-Middle attacks like this require privileged (on-premise) network access.
  • The only SSL connection that would be exposed for Unitrends would be replication, but the replication protocol and data format has validation which would prevent almost any attacker from obtaining sensitive information.

Therefore the exposure to Unitrends systems is very low.

RESOLUTION

This vulnerability is fixed in these upstream openssl versions:

  • openssl-0.9.8za
  • openssl-1.0.0m
  • openssl-1.0.1h.
It is fixed in these CentOS versions of openssl:
  • CentOS5: openssl-0.9.8e-27.el5_10.3.x86_64.rpm or later
  • CentOS6: openssl-1.0.1e-16.el6_5.14.x86_64.rpm or later
To update to the new version of openssl with the fix, either do 'yum update openssl' from the command line, or perform an update from the UI.

LINK TO ADVISORIES

NOTES

​For a detailed discussion see: https://www.imperialviolet.org/2014/06/05/earlyccs.html

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us