New OpenSSL Security Vulnerability

New vulnerabilities have been discovered in the OpenSSL library soon after the malicious Heartbleed threat which appeared in April. According to a security release issued to the users, it is mentioned that this bug makes it possible for an attacker to deploy a “man-in-the-middle” attack on traffic encrypted with OpenSSL. That means an attacker could intercept the an encrypted connection between users and the server, and decrypt it to extract secure information or modify the information.

This vulnerability requires use of MITM ( Man in the middle ) attack vector hence it is more difficult to deploy than the Heartbleed bug which could be used to attack any server with OpenSSL.

Implications for you

1. Only the following versions of OpenSSL are unaffected:
OpenSSL 1.0.1h
OpenSSL 1.0.0m
OpenSSL 0.9.8za

2. Ubuntu: The bug can be removed by updating your system to the following package version –
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.2
Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.4
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.14
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.18

3. Debian: For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u10. All applications linked to openssl need to be restarted. You can use the tool “checkrestart” from the package debian-goodies to detect affected programs or reboot your system.
For the unstable distribution (sid), these problems will be fixed soon.

4. CentOS: The vulnerability can be removed by upgrading as follows –

CentOS 5.x series – Version 0.9.8e-27.el5_10.3 must be used.
CentOS 6.x series – Version 1.0.1e-16.el6_5.14 must be used

5. Use of this bug does not leave any traces, hence you can not detect if you have been exploited using this vulnerability.

All the managed clients at E2E Networks have been upgraded to the latest security patches by us. Please contact us at support@e2enetworks.com, if you are an unmanaged client and want us to help you with installation of the patches.