[Japanese]

JVNDB-2014-000048

OpenSSL improper handling of Change Cipher Spec message

Overview

OpenSSL improperly handles Change Cipher Spec message in the initial SSL/TLS handshake.

OpenSSL contains a flaw in the implementation of the Change Cipher Spec protocol that allows a MITM (man-in-the-middle) attacker to force a server and a client to use easily guessable cryptgraphic key material during the initial SSL/TLS handshake (CWE-325).

KIKUCHI Masashi of Lepidum Co. Ltd. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products

It is confirmed that the SSL/TLS communication between a server and a client using the following vulnerable OpenSSL versions is affected.
Server:

OpenSSL Project
  • OpenSSL 1.0.1g and earlier

Client:

OpenSSL Project
  • OpenSSL 1.0.1g and earlier
  • OpenSSL 1.0.0l and earlier
  • OpenSSL 0.9.8y and earlier
Impact

SSL/TLS communication between the server and the client can be decrypted or altered by the MITM attacker.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

BlackBerry
  • BlackBerry Knowledge Base : KB36051
FileZilla Huawei IBM Corporation InterSect Alliance International Pty Kerio Technologies Novell, Inc. OpenSSL Project Puppet Labs Splunk Tenable Network Security VMware Apple Inc.
  • Apple Security Updates : HT6443
Oracle Corporation Cisco Systems, Inc. Trend Micro, Inc. BUFFALO INC. Hewlett-Packard Development Company, L.P Fortinet Blue Coat Systems, Inc.
  • Security Advisories : SA80
McAfee, Inc. MIRACLE LINUX CORPORATION Yamaha Corporation Red Hat, Inc. Yokogawa Electric Corporation TOSHIBA TEC NEC Corporation
  • NEC Security Information : AV14-002 (in Japanese)
  • NEC Security Information : NV15-011 (in Japanese)
Hitachi, Ltd FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0224
References

  1. JVN : JVN#61247051
  2. JVN : JVNVU#93868849
  3. National Vulnerability Database (NVD) : CVE-2014-0224
  4. IPA SECURITY ALERTS : Security Alert for OpenSSL improper handling of Change Cipher Spec message (JVN#61247051) (in Japanese)
  5. US-CERT Vulnerability Note : VU#978508
  6. ICS-CERT ADVISORY : ICSA-14-156-01
  7. ICS-CERT ADVISORY : ICSA-14-198-03
  8. CERT-FI : Haavoittuvuuksia OpenSSL-kirjastossa
  9. Related document : Here is the timeline from my (OpenSSL) perspective for the recent CCS Injection (MITM) vulnerability as well as the other flaws being fixed today
  10. Related document : CCS Injection Vulnerability
  11. Related document : How I discovered CCS Injection Vulnerability (CVE-2014-0224)
  12. Related document : Announcement of Aratana (in Japanese)
  13. IETF : Change Cipher Spec
Revision History

[2014/06/06]
  Web page was published
[2014/06/09]
  Vendor Information : Contents were added
  References  : Contents were added
[2014/06/10]
  Vendor Information : Content was added
  References : Content was added
[2014/06/11]
  Vendor Information : Contents were added
[2014/06/16]
  Vendor Information : Content was added
[2014/06/23]
  Vendor Information : Contents were added
[2014/06/30]
  Vendor Information : Contents were added
[2014/07/01]
  Vendor Information : Contents were added
[2014/07/08]
  Vendor Information : Content was added
[2014/07/11]
  Vendor Information : Contents were added
[2014/07/16]
  Vendor Information : Content was added
[2014/07/18]
  Vendor Information : Contents were added
  References : Content was added
[2014/08/05]
  Vendor Information : Contents were added
[2014/08/08]
  Vendor Information : Content was added
[2014/09/10]
  Vendor Information : Content was added
[2014/09/24]
  Vendor Information : Content was added
  References : Content was added
[2014/10/06]
  Vendor Information : Content was added
[2014/10/21]
  Vendor Information : Contents were added
[2015/01/22]
  Vendor Information : Contents were added
[2015/04/22]
  Vendor Information : Content was added
[2015/06/26]
  Vendor Information : Contents were added
[2015/10/28]
  Vendor Information : Content was added
[2016/07/27]
  Vendor Information : Contents were added