A new security vulnerability in OpenSSL surfaced on Thursday with the potential to expose Internet user data to malicious hackers.
Masashi Kikuchi, a security researcher at Lepidum, a Japanese security firm, disclosed the existence of the security flaw, dubbed CCS Injection Vulnerability, in a blog entry on Thursday. The 16-year-old security flaw found in OpenSSL allows an attacker with knowledge of the coding bug to intercept and decrypt encrypted data traveling across the Internet, potentially exposing sensitive user data traveling the Web.
Kikuchi explained that a flaw in the ChangeCipherSpec protocol exposed OpenSSL to potential hackers:
“OpenSSL sends CCS in exact timing itself. However, it accepts CCS at other timings when receiving. Attackers can exploit this behavior so that they can decrypt and/or modify data in the communication channel.”
The team behind the OpenSSL encryption software acknowledged the security flaw as well in an advisory published on Thursday. According to the advisory, OpenSSL clients are vulnerable in all versions of OpenSSL. For servers running OpenSSL, the only known vulnerable versions are 1.0.1 and 1.02-beta1.The notice also advised OpenSSL server users to upgrade to a later version if they are running OpenSSL below version 1.0.1.
The CCS Injection Vulnerability is a serious concern, but it’s not as severe as the Heartbleed security flaw, which sent server administrators and companies scrambling to secure their servers. Unlike Heartbleed, which only required attackers to focus their attention on a single server or Internet client, this latest security flaw requires an attacker to sit in a position between an OpenSSL server and an OpenSSL client.
“The good news is that these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected. None the less, all OpenSSL users should be updating,” cryptographer and Google software engineer Adam Langley said in a blog post.
As for why the bug wasn’t found sooner, Kikuchi blames OpenSSL code reviews for being insufficient:
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”
Those affected by this latest OpenSSL security flaw are advised to install OpenSSL software updates from their respective software vendors.