OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
- The login credentials are not exposed to this method
- This issue has existed for 15+ years, since at least 1998. This CVE was released on 06/05/2014.
- Man-in-the-Middle attacks like this require privileged (on-premise) network access.
- The only SSL connection that would be exposed for Unitrends would be replication, but the replication protocol and data format has validation which would prevent almost any attacker from obtaining sensitive information.
Therefore the exposure to Unitrends systems is very low.
This vulnerability is fixed in these upstream openssl versions:
It is fixed in these CentOS versions of openssl:
To update to the new version of openssl with the fix, either do 'yum update openssl' from the command line, or perform an update from the UI.
- CentOS5: openssl-0.9.8e-27.el5_10.3.x86_64.rpm or later
- CentOS6: openssl-1.0.1e-16.el6_5.14.x86_64.rpm or later
LINK TO ADVISORIES
For a detailed discussion see: https://www.imperialviolet.org/2014/06/05/earlyccs.html