Less than two months have passed since news of the Heartbleed vulnerability broke and now several more vulnerabilities in the popular Open SSL library have come to light. Due in part to increased scrutiny of the Open SSL code, additional vulnerabilities have been reported, including a more serious issue for which the Open SSL Foundation has already issued patches.
Referred to by the US government as CVE-2014-0224, the flaw "could allow an attacker to perform a 'man-in-the-middle' attack ...," according to the United States Computer Emergency Response Team (US-CERT).
In order to take advantage of the vulnerability, both the client and the server must be vulnerable and the attacker must occupy a man-in-the-middle (MITM) position on the network capable of intercepting and modifying information off the wire. While the presence of a MITM attacker may not be common, the proliferation of open Wi-Fi networks makes this much more possible.
As highlighted during the Heartbleed vulnerability, Open SSL is widely utilized across online services and products.
What to Do
- If you have a server or application that uses OpenSSL, update to the latest version.
- Contact your vendors – if you work with specific software vendors that have web based portals we recommend contacting them to confirm if their product is affected by this vulnerability.
- For the end user, the place to start is always passwords. Although this vulnerability doesn’t reveal information such as passwords as was the case with Heartbleed, updating passwords regularly is a best practice.
- Avoid unsecured Wi-Fi networks. These may be the best chance for a remote attacker to exploit the vulnerability.
- Be vigilant. Although the probability of an attack is significantly lower than with Heartbleed, there is always risk. Monitor your network and be sensitive to anything that looks unusual.
While no network is 100% safe, there are best practices that can be put in place to mitigate your risk as noted above.