JVNDB-2014-000048

OpenSSL improper handling of Change Cipher Spec message

OpenSSL improperly handles Change Cipher Spec message in the initial SSL/TLS handshake.

OpenSSL contains a flaw in the implementation of the Change Cipher Spec protocol that allows a MITM (man-in-the-middle) attacker to force a server and a client to use easily guessable cryptgraphic key material during the initial SSL/TLS handshake (CWE-325).

KIKUCHI Masashi of Lepidum Co. Ltd. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

It is confirmed that the SSL/TLS communication between a server and a client using the following vulnerable OpenSSL versions is affected.

Server:

OpenSSL Project

• OpenSSL 1.0.1g and earlier

Client:

OpenSSL Project

• OpenSSL 1.0.1g and earlier
• OpenSSL 1.0.0l and earlier
• OpenSSL 0.9.8y and earlier

SSL/TLS communication between the server and the client can be decrypted or altered by the MITM attacker.

[Update the software]
Update to the latest version according to the information provided by the developer.

BlackBerry

• BlackBerry Knowledge Base : KB36051

FileZilla

• FileZilla : Version history

Huawei

• Security Advisory : Huawei-SA-20140613-OpenSSL

IBM Corporation

• IBM Support Document : 00001841
• IBM Support Document : 00001843
• IBM Support Document : N1020172
• IBM Support Document : S1004690
• IBM Support Document : 1676062
• IBM Support Document : 1676419
• IBM Support Document : 1676496
• IBM Support Document : 1676655
• IBM Support Document : 1676845
• IBM Support Document : 1677390
• IBM Support Document : 1677567
• IBM Support Document : 1677695
• IBM Support Document : 1677828
• IBM Support Document : 1678167
• IBM Support Document : 1678289
• IBM Support Document : 4037761
• IBM Support Document : IBM Flex System Integrated Management Module II (IMM2) is affected by the following OpenSSL vulnerability: CVE-2014-0224
• IBM Support Document : IBM System Networking switches that are affected by the OpenSSL vulnerability: CVE-2014-0224
• Technical bulletin : Announcing PTF MH01439 for HMC Version 7 Release 7.7.0 Service Pack 3
• Technical bulletin : Announcing PTF MH01438 for HMC Version 7 Release 7.6.0 Service Pack 3

InterSect Alliance International Pty

• InterSect Alliance International Pty : Release Notes for Snare Enterprise Agent for MSSQL v1.2
• InterSect Alliance International Pty : Release Notes for Snare Enterprise Agent for Windows v4.2

Kerio Technologies

• Kerio Control : Kerio Control Release History

Novell, Inc.

• Knowledgebase : 7015300
• Knowledgebase : 7015264

OpenSSL Project

• OpenSSL : Fix for CVE-2014-0224
• OpenSSL : Tarballs
• OpenSSL Security Advisory : OpenSSL Security Advisory [05 Jun 2014] SSL/TLS MITM vulnerability (CVE-2014-0224)

Puppet

• Puppet : CVE-2014-0224

Splunk

• Splunk : Splunk Enterprise 6.1.2, 6.0.5 and 5.0.9 address two vulnerabilities - July 1, 2014

Tenable Network Security

• Tenable Network Security : Nessus 5.2.7 and PVS 4.0.3 Are Available for Download
• Tenable Network Security : Nessus 5.2.7 Now Available

VMware

• Knowledge Base : 2079783
• VMware Security Advisories : VMSA-2014-0006

Apple Inc.

• Apple Security Updates : HT6443

Oracle Corporation

• MySQL : Changes in MySQL Workbench 6.1.7 (2014-06-27)
• Oracle : ELSA-2014-1053
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2014
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - January 2015
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2014
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2016
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2016 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2016
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices
• SECURITY BLOG : CVE-2014-0224 Cryptographic Issues vulnerability in WAN Boot
• SECURITY BLOG : CVE-2014-0224 Cryptographic Issues vulnerability in OpenSSL
• SECURITY BLOG : July 2014 Critical Patch Update Released
• SECURITY BLOG : October 2014 Critical Patch Update Released
• SECURITY BLOG : January 2015 Critical Patch Update Released
• SECURITY BLOG : July 2016 Critical Patch Update Released
• SECURITY BLOG : October 2016 Critical Patch Update Released

Cisco Systems, Inc.

• Cisco Security Advisory : cisco-sa-20140605-openssl

Trend Micro, Inc.

• TrendMicro Solution : Alert / Advisory: Vulnerability in OpenSSL (CVE-2014-0224) (in Japanese)
• TrendMicro Support : Trend Micro products and the CCS Injection Vulnerability - [CVE-2014-0224] OpenSSL Vulnerability

BUFFALO INC.

• BUFFALO : Vulnerability in handling of Change Cipher Spec message of OpenSSL (CVE-2014-0224) (in Japanese)

Hewlett-Packard Development Company, L.P

• HP Security Bulletin : HPSBMU03053 SSRT101613
• HP Security Bulletin : HPSBMU03058 SSRT101591
• HP Security Bulletin : HPSBMU03070 SSRT101637
• HP Security Bulletin : HPSBMU03216
• HP Security Bulletin : HPSBST03195
• HP Security Bulletin : HPSBST03265

Fortinet

• FortiGuard Security Advisories : Multiple Vulnerabilities in OpenSSL

Blue Coat Systems, Inc.

• Security Advisories : SA80

McAfee

• McAfee : SB10075

MIRACLE LINUX CORPORATION

• Asianux Technical Support Network : openssl-1.0.1e-16.AXS4.14 (in Japanese)
• Asianux Technical Support Network : openssl098e-0.9.8e-18.AXS4.2 (in Japanese)
• Asianux Technical Support Network : openssl-0.9.8e-27.AXS3.3 (in Japanese)
• Asianux Technical Support Network : openssl097a-0.9.7a-12.AXS3.1 (in Japanese)
• Support : Vulnerability of OpenSSL CCS Injection (CVE-2014-0224) (in Japanese)

Yamaha Corporation

• FAQ for YAMAHA RT Series / Security : OpenSSL vulnerability of "Change Cipher Spec message processing" (in Japanese)

Red Hat, Inc.

• Red Hat Bugzilla : Bug 1103586
• Red Hat Security Advisory : RHSA-2014:0680
• Red Hat Security Advisory : RHSA-2014:0633
• Red Hat Security Advisory : RHSA-2014:0630
• Red Hat Security Advisory : RHSA-2014:0627
• Red Hat Security Advisory : RHSA-2014:0626
• Red Hat Security Advisory : RHSA-2014:0624
• Red Hat Security Advisory : RHSA-2014:0632
• Red Hat Security Advisory : RHSA-2014:0631
• Red Hat Security Blog : OpenSSL MITM CCS injection attack (CVE-2014-0224)

Yokogawa Electric Corporation

• JVN : Information from Yokogawa Electric Corporation

TOSHIBA TEC

• TOSHIBA TEC : Inquiries about Multi Function Peripherals

NEC Corporation

• NEC Security Information : AV14-002 (in Japanese)
• NEC Security Information : NV15-011 (in Japanese)

Hitachi, Ltd

• Hitachi Incdent Response Team : HIRT-PUB14010
• Hitachi Software Vulnerability Information : HS15-012

FUJITSU

• FUJITSU Security Information : Processing of Change Cipher Spec message in OpenSSL vulnerability (CVE-2014-0224) (in Japanese)
• FUJITSU Security Information : Systemwalker Runbook Automation: Processing of Change Cipher Spec message in OpenSSL vulnerability (CVE-2014-0224) (in Japanese)
• FUJITSU Security Information : Systemwalker Service Quality Coordinator: Processing of Change Cipher Spec message in OpenSSL vulnerability (CVE-2014-0224) (in Japanese)
• FUJITSU Security Information : Systemwalker Desktop Keeper, Systemwalker Desktop Patrol: Processing of Change Cipher Spec message in OpenSSL vulnerability (CVE-2014-0224) (in Japanese)
• FUJITSU Security Information : Systemwalker Centric Manager: Processing of Change Cipher Spec message in OpenSSL vulnerability (JVNDB-2014-000048) (in Japanese)
• FUJITSU Security Information : Symantec Backup Exec 2012/ ETERNUS BE50: Processing of Change Cipher Spec message in OpenSSL vulnerability (CVE-2014-0224) (in Japanese)
• FUJITSU Security Information : Symfoware Server: OpenSSL vulnerability (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-3470) (in Japanese)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2014-0224

1. JVN : JVN#61247051
2. JVN : JVNVU#93868849
3. National Vulnerability Database (NVD) : CVE-2014-0224
4. IPA SECURITY ALERTS : Security Alert for OpenSSL improper handling of Change Cipher Spec message (JVN#61247051) (in Japanese)
5. US-CERT Vulnerability Note : VU#978508
6. ICS-CERT ADVISORY : ICSA-14-156-01
7. ICS-CERT ADVISORY : ICSA-14-198-03
8. CERT-FI : Haavoittuvuuksia OpenSSL-kirjastossa
9. Related document : Here is the timeline from my (OpenSSL) perspective for the recent CCS Injection (MITM) vulnerability as well as the other flaws being fixed today
10. Related document : CCS Injection Vulnerability
11. Related document : How I discovered CCS Injection Vulnerability (CVE-2014-0224)
12. Related document : Announcement of Aratana (in Japanese)
13. IETF : Change Cipher Spec

• [2014/06/06]
    Web page was published
  [2014/06/09]
    Vendor Information : Contents were added
    References  : Contents were added
  [2014/06/10]
    Vendor Information : Content was added
    References : Content was added
  [2014/06/11]
    Vendor Information : Contents were added
  [2014/06/16]
    Vendor Information : Content was added
  [2014/06/23]
    Vendor Information : Contents were added
  [2014/06/30]
    Vendor Information : Contents were added
  [2014/07/01]
    Vendor Information : Contents were added
  [2014/07/08]
    Vendor Information : Content was added
  [2014/07/11]
    Vendor Information : Contents were added
  [2014/07/16]
    Vendor Information : Content was added
  [2014/07/18]
    Vendor Information : Contents were added
    References : Content was added
  [2014/08/05]
    Vendor Information : Contents were added
  [2014/08/08]
    Vendor Information : Content was added
  [2014/09/10]
    Vendor Information : Content was added
  [2014/09/24]
    Vendor Information : Content was added
    References : Content was added
  [2014/10/06]
    Vendor Information : Content was added
  [2014/10/21]
    Vendor Information : Contents were added
  [2015/01/22]
    Vendor Information : Contents were added
  [2015/04/22]
    Vendor Information : Content was added
  [2015/06/26]
    Vendor Information : Contents were added
  [2015/10/28]
    Vendor Information : Content was added
  [2016/07/27]
    Vendor Information : Contents were added
  [2016/12/27]
    Vendor Information : Contents were added