Certain mitigating factors made the recent OpenSSL man-in-the-middle vulnerability a notch or two below Heartbleed in terms of criticality. With that in consideration, it’s probably no surprise that patching levels for CVE-2014-0224 aren’t as high out of the gate as they were for Heartbleed.
Ivan Ristic, an application security researcher and director of engineering at Qualys, said that his company’s research arm, SSL Labs, has been running a remote check for servers vulnerable to the bug. This week it ran that same scan against a dataset maintained by SSL Pulse, a global project that monitors the quality of SSL support, in order to quantify the scope of the problem affecting all OpenSSL client versions and version 1.0.1 of the server software.
The results weren’t entirely discouraging to Ristic, who has done extensive SSL research. The comparison against the SSL Pulse data showed that about 49 percent of servers remain vulnerable, while 14 percent are exploitable.
“I’d say they’re decent,”Ristic said of the results. “The patching rate is not as good as with Heartbleed, but Heartbleed was much worse in terms of impact, and it was very well covered.”
The scan revealed that about 36 percent of servers are running older versions of OpenSSL that are not exploitable. Those servers too, won’t likely be patched in any urgency, Ristic said. Ristic estimates based on the presence of the Heartbleed extension that 24 percent of servers are running vulnerable versions of OpenSSL, meaning that about 38 percent were patched in the first week.
The flaw surfaced publicly on June 5, though experts said it’s likely been in the OpenSSL codebase since Day 1 in 1998. The bug enables an attacker to remotely exploit clients or servers running vulnerable versions of OpenSSL to intercept and decrypt traffic. An attacker would have to be in a man-in-the-middle position to do so, not to mention that the bug can only be exploited if an attacker is sitting between both a vulnerable client and server.
“That just reduces the number of exploitable systems. But I’d say that the attack surface is still pretty big. There’s probably lots of backend stuff using OpenSSL accessing APIs and such,” Ristic said of the mitigating factors. “One decrypted connection means the password is compromised.”
Adam Langley of Google published an early analysis of the vulnerability pointing the finger at ChangeCipherSpec messages sent during the TLS handshake.
“This vulnerability allows an active network attacker to inject ChangeCipherSpec (CCS) messages to both sides of a connection and force them to fix their keys before all key material is available,” Ristic said. “Weak keys are negotiated as a result.”