Lucene search
K

SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability

🗓️ 10 Jun 2014 00:00:00Reported by Copyright (C) 2014 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 1119 Views

SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability. OpenSSL prone to security-bypass vulnerability allows man-in-the-middle attackers to trigger zero-length master key via crafted TLS handshake, hijack sessions, or obtain sensitive information

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM Sterling Connect:Enterprise for UNIX affected by the following OpenSSL vulnerability (CVE-2014-0224).
18 Dec 201901:14
ibm
IBM Security Bulletins
Security Bulletin: Tivoli Common Reporting iFixes for multiple Security Vulnerabilities (CVE-2014-3566,CVE-2014-6145,CVE-2014-1568,CVE-2014-4263,CVE-2014-3513,CVE-2014-3567,CVE-2014-3568,CVE-2014-0107,CVE-2014-0075,CVE-2014-0096,CVE-2014-0099,CVE-2014-011
17 Jun 201814:55
ibm
IBM Security Bulletins
Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere MQ (CVE-2014-0224, CVE-2014-3470), Websphere Message Broker and IBM Integration Bus (CVE-2014-0224) shipped with Predictive Maintenance and Quality
15 Jun 201822:33
ibm
IBM Security Bulletins
Security Bulletins for IBM Tealeaf Customer Experience offerings
16 Jun 201819:35
ibm
IBM Security Bulletins
IBM Security Network Protection / IBM QRadar Network Security / XGS Technote Index
31 Jan 202100:10
ibm
IBM Security Bulletins
Security Bulletin: IBM Systems Director is affected by vulnerabilities in OpenSSL (CVE-2014-0224, CVE-2013-0169 and CVE-2014-3470)
31 Jan 201901:25
ibm
IBM Security Bulletins
Security Bulletins - IBM Planning Analytics, Cognos TM1 and Cognos Insight
18 Jul 201817:37
ibm
IBM Security Bulletins
Security Bulletin: Rational ClearCase is affected by OpenSSL vulnerabilities (CVE-2014-0224, CVE-2014-3470, CVE-2015-0292)
10 Jul 201808:34
ibm
IBM Security Bulletins
Security Bulletin:Security vulnerability has been identified in Rational Application Developer shipped with Rational Software Architect for Websphere (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470)
17 Jun 201804:55
ibm
IBM Security Bulletins
Security Bulletin: IBM System x Integrated Management Module (IMM) is affected by the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0076
31 Jan 201901:25
ibm
Rows per page
# SPDX-FileCopyrightText: 2014 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105042");
  script_version("2025-01-17T15:39:18+0000");
  script_cve_id("CVE-2014-0224");
  script_name("SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability");
  script_tag(name:"cvss_base", value:"5.8");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_tag(name:"last_modification", value:"2025-01-17 15:39:18 +0000 (Fri, 17 Jan 2025)");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2020-07-28 16:40:00 +0000 (Tue, 28 Jul 2020)");
  script_tag(name:"creation_date", value:"2014-06-10 17:18:54 +0200 (Tue, 10 Jun 2014)");
  script_category(ACT_ATTACK);
  script_family("SSL and TLS");
  script_copyright("Copyright (C) 2014 Greenbone AG");
  script_dependencies("gb_ssl_tls_version_get.nasl");
  script_mandatory_keys("ssl_tls/port");

  script_xref(name:"URL", value:"https://www.openssl.org/news/secadv/20140605.txt");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/67899");

  script_tag(name:"impact", value:"Successfully exploiting this issue may allow attackers to obtain
  sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.");

  script_tag(name:"vuldetect", value:"Send two SSL ChangeCipherSpec request and check the response.");

  script_tag(name:"insight", value:"OpenSSL does not properly restrict processing of ChangeCipherSpec
  messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in
  certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive
  information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.");

  script_tag(name:"solution", value:"Updates are available. Please see the references for more information.");

  script_tag(name:"summary", value:"OpenSSL is prone to a security bypass vulnerability.");

  script_tag(name:"affected", value:"OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m and 1.0.1 before 1.0.1h.");

  script_tag(name:"qod_type", value:"remote_analysis");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("mysql.inc");
include("byte_func.inc");
include("ssl_funcs.inc");
include("misc_func.inc");
include("list_array_func.inc");

function _test( v, port ) {

  local_var v, port, soc, hello, data, record, hello_done, req;

  if( ! v ) return FALSE;

  soc = open_ssl_socket( port:port );
  if( ! soc ) return FALSE;

  hello = ssl_hello( port:port, version:v );
  if( ! hello ) {
    close( soc );
    return FALSE;
  }

  send( socket:soc, data:hello );

  while( ! hello_done ) {
    data = ssl_recv( socket:soc );
    if( ! data ) {
      close( soc );
      return FALSE;
    }

    record = search_ssl_record( data:data, search:make_array( "content_typ", SSLv3_ALERT ) );
    if( record ) {
      close( soc );
      return FALSE;
    }

    record = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_SERVER_HELLO_DONE ) );
    if( record ) {
      hello_done = TRUE;
      v = record["version"];
      break;
    }
  }

  if( ! hello_done ) {
    close( soc );
    return FALSE;
  }

  req = raw_string( 0x14 ) + v + raw_string( 0x00, 0x01, 0x01 );
  send( socket:soc, data:req );

  data = ssl_recv( socket:soc );

  if( ! data && socket_get_error( soc ) == ECONNRESET ) {
    close( soc );
    return FALSE;
  }

  if( data ) {
    record = search_ssl_record( data:data, search:make_array( "content_typ", SSLv3_ALERT ) );
    if( record ) {
      close( soc );
      return FALSE;
    }
  }

  send( socket:soc, data:req );
  data = ssl_recv( socket:soc );

  close( soc );

  if( ! data ) return FALSE;

  record = search_ssl_record( data:data, search:make_array( "content_typ", SSLv3_ALERT ) );
  if( record ) {
    if( record['level'] == SSLv3_ALERT_FATAL && ( record['description'] == SSLv3_ALERT_BAD_RECORD_MAC || record['description'] == SSLv3_ALERT_DECRYPTION_FAILED ) ) {
      security_message( port:port );
      exit( 0 );
    }
  }
}

if( ! port = tls_ssl_get_port() )
  exit( 0 );

if( ! versions = get_supported_tls_versions( port:port, min:SSL_v3, max:TLS_12 ) )
  exit( 0 );

foreach version( versions ) {
  _test( v:version, port:port );
}

exit( 99 );

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jan 2025 00:00Current
7High risk
Vulners AI Score7
CVSS 25.8
CVSS 3.17.4
EPSS0.95326
1119