OpenSSL Team Warns of New MITM Vulnerability


On Thursday, the OpenSSL team issued an advisory (CVE-2014-0224) that warned of new SSL/TLS vulnerabilities — for certain releases of OpenSSL — that may leave SSL clients and servers susceptible to man-in-the-middle (MITM) attacks.

Entrust certificate customers will not need to replace their public/private key pairs or certificates. If customers are running vulnerable software, they will simply need to install a security update provided by their respective vendors.

Entrust SSL customers do not need to be concerned about the management of their certificates or their certificate management accounts. The CA private keys are protected on a NIST FIPS 140-2 Level 3 hardware security module (HSM). The CA private keys never leave this hardware and are not exposed to any server using OpenSSL.

Entrust Cloud SSL uses implementations of OpenSSL that are not vulnerable to the newest man-in-the-middle threat. We are, however, currently investigating the impact of this vulnerability on Discovery agents.

In detail, this latest OpenSSL vulnerability allows an attacker, in a position to modify traffic between a vulnerable SSL client and vulnerable SSL server, to force them to agree upon weak SSL keys. The attacker can then read and manipulate the SSL traffic.

As a precaution, the OpenSSL team is advising users of the following versions to upgrade to the listed releases.

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h

Only versions 1.0.1-1.0.1g and 1.0.2-beta1 are known to be vulnerable when functioning as a server. SSL/TLS implementations other than OpenSSL are not known to be vulnerable.

A man-in-the-middle attack can only occur if both the client and server are vulnerable. All versions of OpenSSL (except for those released Thursday, June 5) are vulnerable when functioning as a client.

Most Web browsers (e.g., Internet Explorer, Firefox, Safari and Chrome on the desktop, plus Safari on Apple iOS) are not vulnerable. The Chrome browser on Android was vulnerable, but a security update (35.0.1916.141) was quickly released by Google to correct the issue.

For additional information about the new OpenSSL vulnerability, please review Entrust Security Bulletin E14-014.


Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.

1 Comment

Add to the Conversation