June 12, 2014 by Rishit Patel
OpenSSL, the most widely used implementation of the SSL and TLS protocol, have released details regarding a new batch of vulnerabilities found in various releases of their code. Following on from the recent debacle that was the Heartbleed vulnerability, these new vulnerabilities are nowhere as easy to exploit so there's no need to lose sleep over it.
There are six new vulnerabilities present and one of them (CVE-2014-0224) is a MITM (Man-in-the-middle). It requires an attacker to be between the server/client. It then requires both server/client to have vulnerable versions of OpenSSL. Commonly used client side web browsers such as Internet Explorer, FireFox and Chrome don't use OpenSSL therefore making this attack vector unfeasible. To exploit this vulnerability in the real world would require a high degree of technical skill, particularly in establishing the MITM which is necessary to execute the exploit.
The remaining vulnerabilities require certain parameters to be enabled within the OpenSSL configuration. Nebulas recommend that you check this advisory, which contains details of each vulnerability and recommended upgrade paths, to determine if you are at risk.
Many security vendors will be using vulnerable OpenSSL versions in their products and services. For the key partners that Nebulas support we have compiled a list of their current status in researching and addressing these new vulnerabilities through patches/updates, which can be found here.
