Bug #3695
closed
CVE-2014-0224 - OpenSSL SSL/TLS MITM vulnerability
0%
Description
This newly released exploit affects all versions of OpenSSL and allows a MITM attacker to decrypt and modify traffic from the attacked client and server.
Updated by Jim Pingle over 10 years ago
We're already aware and investigating.
As far as we can tell it may not be critical for most. As with Heartbleed it primarily would affect OpenVPN in SSL/TLS mode and only then if you chose NOT to use a TLS auth key on the VPN. Harder still, someone apparently has to be in a position to intercept both client and server traffic to be able to inject the questionable packets into the connection stream to cause harm. It doesn't leak data like Heartbleed, but may allow someone to decrypt traffic flowing through the VPN.
It may also impact the GUI but as always if people followed our recommendations and keep GUI access restricted then it wouldn't be an issue there either.
Updated by Jim Pingle over 10 years ago
More links with info:
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:14.openssl.asc
https://www.imperialviolet.org/2014/06/05/earlyccs.html
http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
http://digital-era.net/new-openssl-mitm-flaw-affects-all-clients-some-server-versions/
Updated by Chris Buechler over 10 years ago
- Status changed from New to Resolved
was fixed in 2.1.4, ticket never got closed out.