The Internet Storm Center (ISC SANS) ranks two of the newly patched flaws as critical. One, identified as CVE-2014-0224, is an SSL man-in-the-middle (MITM) vulnerability that could have a widespread, critical impact. In an MITM attack, the attacker is able to intercept encrypted messages sent between secured endpoints and decrypt the message.
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS [Secure Sockets Layer/Transfer Layer Security] clients and servers,” OpenSSL warns in its advisory. “This can be exploited by a man-in-the-middle attack where the attacker can decrypt and modify traffic from the attacked client and server.”
The OpenSSL Project cautions that all client versions of OpenSSL are vulnerable to CVE-2014-0224. The OpenSSL advisory notes that CVE-2014-0224 was reported to the OpenSSL Project May 1.
Read the full story at eWEEK:
OpenSSL Finds and Fixes 7 New Security Flaws
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist.