[Japanese]

JVNDB-2014-000048

OpenSSL improper handling of Change Cipher Spec message

Overview

OpenSSL improperly handles Change Cipher Spec message in the initial SSL/TLS handshake.

OpenSSL contains a flaw in the implementation of the Change Cipher Spec protocol that allows a MITM (man-in-the-middle) attacker to force a server and a client to use easily guessable cryptgraphic key material during the initial SSL/TLS handshake (CWE-325).

KIKUCHI Masashi of Lepidum Co. Ltd. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

It is confirmed that the SSL/TLS communication between a server and a client using the following vulnerable OpenSSL versions is affected.
Server:

OpenSSL Project
  • OpenSSL 1.0.1g and earlier

Client:

OpenSSL Project
  • OpenSSL 1.0.1g and earlier
  • OpenSSL 1.0.0l and earlier
  • OpenSSL 0.9.8y and earlier
Impact

SSL/TLS communication between the server and the client can be decrypted or altered by the MITM attacker.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

BlackBerry
  • BlackBerry Knowledge Base : KB36051
FileZilla Huawei IBM Corporation InterSect Alliance International Pty Kerio Technologies Novell, Inc. OpenSSL Project Puppet Splunk Tenable Network Security VMware Apple Inc.
  • Apple Security Updates : HT6443
Oracle Corporation Cisco Systems, Inc. Trend Micro, Inc. BUFFALO INC. Hewlett-Packard Development Company, L.P Fortinet Blue Coat Systems, Inc.
  • Security Advisories : SA80
McAfee MIRACLE LINUX CORPORATION Yamaha Corporation Red Hat, Inc. Yokogawa Electric Corporation TOSHIBA TEC NEC Corporation
  • NEC Security Information : AV14-002 (in Japanese)
  • NEC Security Information : NV15-011 (in Japanese)
Hitachi, Ltd FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0224
References

  1. JVN : JVN#61247051
  2. JVN : JVNVU#93868849
  3. National Vulnerability Database (NVD) : CVE-2014-0224
  4. IPA SECURITY ALERTS : Security Alert for OpenSSL improper handling of Change Cipher Spec message (JVN#61247051) (in Japanese)
  5. US-CERT Vulnerability Note : VU#978508
  6. ICS-CERT ADVISORY : ICSA-14-156-01
  7. ICS-CERT ADVISORY : ICSA-14-198-03
  8. CERT-FI : Haavoittuvuuksia OpenSSL-kirjastossa
  9. Related document : Here is the timeline from my (OpenSSL) perspective for the recent CCS Injection (MITM) vulnerability as well as the other flaws being fixed today
  10. Related document : CCS Injection Vulnerability
  11. Related document : How I discovered CCS Injection Vulnerability (CVE-2014-0224)
  12. Related document : Announcement of Aratana (in Japanese)
  13. IETF : Change Cipher Spec
Revision History

  • [2014/06/06]
      Web page was published
    [2014/06/09]
      Vendor Information : Contents were added
      References  : Contents were added
    [2014/06/10]
      Vendor Information : Content was added
      References : Content was added
    [2014/06/11]
      Vendor Information : Contents were added
    [2014/06/16]
      Vendor Information : Content was added
    [2014/06/23]
      Vendor Information : Contents were added
    [2014/06/30]
      Vendor Information : Contents were added
    [2014/07/01]
      Vendor Information : Contents were added
    [2014/07/08]
      Vendor Information : Content was added
    [2014/07/11]
      Vendor Information : Contents were added
    [2014/07/16]
      Vendor Information : Content was added
    [2014/07/18]
      Vendor Information : Contents were added
      References : Content was added
    [2014/08/05]
      Vendor Information : Contents were added
    [2014/08/08]
      Vendor Information : Content was added
    [2014/09/10]
      Vendor Information : Content was added
    [2014/09/24]
      Vendor Information : Content was added
      References : Content was added
    [2014/10/06]
      Vendor Information : Content was added
    [2014/10/21]
      Vendor Information : Contents were added
    [2015/01/22]
      Vendor Information : Contents were added
    [2015/04/22]
      Vendor Information : Content was added
    [2015/06/26]
      Vendor Information : Contents were added
    [2015/10/28]
      Vendor Information : Content was added
    [2016/07/27]
      Vendor Information : Contents were added
    [2016/12/27]
      Vendor Information : Contents were added