An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client AND server.
What versions of OpenSSL are affected?
- OpenSSL clients are vulnerable in ALL versions of OpenSSL.
- Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.
How to fix:
Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
- OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
- OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
- OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
You can use this article as a reference to check the version of your openssl and perform the upgrade.
- cPanel: http://forums.cpanel.net/f185/openssl-vulnerability-cve-2014-0224-a-411551.html
- Plesk: http://kb.parallels.com/en/121916
- CentOS: https://www.centos.org/forums/viewtopic.php?f=11&t=46561
- VMWare: http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2079783&sliceId=1&docTypeID=DT_KB_1_1&dialogID=282054392&stateId=1%200%20282062537