Project

General

Profile

Actions

Bug #3695

closed

CVE-2014-0224 - OpenSSL SSL/TLS MITM vulnerability

Added by Adam Gauthier over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
Operating System
Target version:
Start date:
06/05/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

This newly released exploit affects all versions of OpenSSL and allows a MITM attacker to decrypt and modify traffic from the attacked client and server.

See http://www.openssl.org/news/secadv_20140605.txt

Actions #1

Updated by Jim Pingle over 9 years ago

We're already aware and investigating.

As far as we can tell it may not be critical for most. As with Heartbleed it primarily would affect OpenVPN in SSL/TLS mode and only then if you chose NOT to use a TLS auth key on the VPN. Harder still, someone apparently has to be in a position to intercept both client and server traffic to be able to inject the questionable packets into the connection stream to cause harm. It doesn't leak data like Heartbleed, but may allow someone to decrypt traffic flowing through the VPN.

It may also impact the GUI but as always if people followed our recommendations and keep GUI access restricted then it wouldn't be an issue there either.

Actions #3

Updated by Chris Buechler over 9 years ago

  • Target version set to 2.1.4
Actions #4

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Resolved

was fixed in 2.1.4, ticket never got closed out.

Actions

Also available in: Atom PDF