Still reeling from Heartbleed, OpenSSL suffers from crypto bypass flaw

A researcher has uncovered another severe vulnerability in the OpenSSL cryptographic library. It allows attackers to decrypt and modify Web, e-mail, and virtual private network traffic protected by the transport layer security (TLS) protocol, the Internet's most widely used method for encrypting traffic traveling between end users and servers.

Library updates are available on the front page of the OpenSSL website. People who administer servers running OpenSSL should update as soon as possible. The underlying vulnerability, formally cataloged as CVE-2014-0224, resides in the ChangeCipherSpec processing, according to an overview by Lepidum, the software developer that discovered the flaw and reported it privately to OpenSSL. It makes it possible for attackers who can monitor a connection between an end user and server to force weak cryptographic keys on client devices. Attackers can then exploit those keys to decrypt the traffic or even modify the data before sending it to its intended destination.

"OpenSSL's ChangeCipherSpec processing has a serious vulnerability," the Lepidum advisory stated. "This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. There are risks of tampering with the exploits on contents and authentication information over encrypted communication via web browsing, e-mail and VPN, when the software uses the affected version of OpenSSL."