A 16-year-old flaw in OpenSSL has been uncovered, two months after Heartbleed hit the industry.
An advisory notice on the OpenSSL website reports security researcher Masashi Kikuchi of Lepidum found a man-in-the-middle vulnerability, referred to as CVE-2014-0224.
“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MitM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” the advisory said.
The attack can only end up performed if the client and server are vulnerable, which will be the case if servers are running OpenSSL 1.0.1 or 1.0.2-beta1.
“Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution,” the notice said.
Kikuchi helped to produce a fix for the problem that Stephen Henson of the OpenSSL core team approved and is available to download and install.
Kikuchi provided more information on how he uncovered the bug in a blog post, revealing that the issue had never been found before due to insufficient code checks.
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” he said. “If the reviewers had enough experiences, they should have verified OpenSSL code in the same way they do their own code and they could have detected the problem.”
OpenSSL released new versions last week that mitigate several additional vulnerabilities discovered since the April OpenSSL vulnerability caused by the HeartBleed bug, according to a report on ICS-CERT.