Latest OpenSSL bug ‘may be more dangerous than Heartbleed’
Heartbleed was deemed to be one of the most critical internet vulnerabilities ever when it was uncovered in April. OpenSSL is supposed to protect people’s data with digital keys but has been exposed as flawed numerous times in recent months. The latest vulnerability was introduced in 1998 and has been missed by both paid and volunteer developers working on the open-source project for 16 years. Mea
ImperialViolet - Early ChangeCipherSpec Attack
OpenSSL 1.0.1h (and others) were released today with a scary looking security advisiory and that's always an event worth looking into. (Hopefully people are practiced at updating OpenSSL now!) Update: the original reporter has a blog post up. Also, I won't, personally, be answering questions about specific Google services. (I cut this blog post together from notes that I'm writing for internal gro
CCS Injection脆弱性(CVE-2014-0224)発見ã®çµŒç·¯ã«ã¤ã„ã¦ã®ç´¹ä»‹ - OpenSSL #ccsinjection Vulnerability
èŠæ± ã§ã™ã€‚CCS Injection脆弱性(CVE-2014-0224)発見ã®çµŒç·¯ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚ ãƒã‚°ã®ç°¡å˜ãªè§£èª¬ OpenSSLãŒãƒãƒ³ãƒ‰ã‚·ã‚§ãƒ¼ã‚¯ä¸ã«ä¸é©åˆ‡ãªçŠ¶æ…‹ã§ChangeCipherSpecã‚’å—ç†ã—ã¦ã—ã¾ã†ã®ãŒä»Šå›žã®ãƒã‚°ã§ã™ã€‚ ã“ã®ãƒã‚°ã¯OpenSSLã®æœ€åˆã®ãƒªãƒªãƒ¼ã‚¹ã‹ã‚‰å˜åœ¨ã—ã¦ã„ã¾ã—ãŸã€‚ 通常ã®ãƒãƒ³ãƒ‰ã‚·ã‚§ãƒ¼ã‚¯ã§ã¯ã€å³ã®å›³ã®ã‚ˆã†ãªé †åºã§ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’交æ›ã—ã¾ã™(RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2 §7.3より作æˆ)。 ChangeCipherSpecã¯å¿…ãšã“ã®ä½ç½®ã§è¡Œã†ã“ã¨ã«ãªã£ã¦ã„ã¾ã™ã€‚OpenSSLã‚‚ChangeCipherSpecã‚’ã“ã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§é€ä¿¡ã—ã¾ã™ãŒã€å—ä¿¡ã¯ä»–ã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§ã‚‚è¡Œã†ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã—ãŸã€‚ã“れを悪用ã™ã‚‹ã“ã¨ã§ã€æ”»æ’ƒè€…ãŒé€šä¿¡ã‚’解èªãƒ»æ”¹ã–ã‚“å¯èƒ½ã§ã™ã€‚ 発見ã®å›°é›£ã•
How I discovered CCS Injection Vulnerability (CVE-2014-0224) - OpenSSL #ccsinjection Vulnerability
Hello. My name is Masashi Kikuchi. Here is my story how I find the CCS Injection Vulnerability. (CVE-2014-0224) What is the bug? The problem is that OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake. This bug has existed since the very first release of OpenSSL. In a correct handshake, the client and the server exchange messages in the order as depicted in this figure. (See
OpenSSL #ccsinjection Vulnerability
[Japanese] Last update: Mon, 16 Jun 2014 18:21:23 +0900 CCS Injection Vulnerability Overview OpenSSL’s ChangeCipherSpec processing has a serious vulnerability. This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. Because both of servers and clients are affected by thi
OpenSSL #ccsinjection Vulnerability
[English] 最終更新日: Mon, 16 Jun 2014 18:21:23 +0900 CCS Injection Vulnerability æ¦‚è¦ OpenSSLã®ChangeCipherSpecメッセージã®å‡¦ç†ã«æ¬ 陥ãŒç™ºè¦‹ã•ã‚Œã¾ã—ãŸã€‚ ã“ã®è„†å¼±æ€§ã‚’悪用ã•ã‚ŒãŸå ´åˆã€æš—å·é€šä¿¡ã®æƒ…å ±ãŒæ¼ãˆã„ã™ã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚ サーãƒã¨ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã®ä¸¡æ–¹ã«å½±éŸ¿ãŒã‚ã‚Šã€è¿…速ãªå¯¾å¿œãŒæ±‚ã‚られã¾ã™ã€‚ 攻撃方法ã«ã¯å……分ãªå†ç¾æ€§ãŒã‚ã‚Šã€æ¨™çš„型攻撃ç‰ã«åˆ©ç”¨ã•ã‚Œã‚‹å¯èƒ½æ€§ã¯éžå¸¸ã«é«˜ã„ã¨è€ƒãˆã¾ã™ã€‚ å¯¾ç– å„ベンダã‹ã‚‰æ›´æ–°ãŒãƒªãƒªãƒ¼ã‚¹ã•ã‚Œã‚‹ã¨æ€ã‚れるã®ã§ã€ãれをインストールã™ã‚‹ã“ã¨ã§å¯¾ç–ã§ãã¾ã™ã€‚ (éšæ™‚更新) Ubuntu Debian FreeBSD CentOS Red Hat 5 Red Hat 6 Amazon Linux AMI åŽŸå› OpenSSLã®ChangeCipherSpecメッセージã®å‡¦ç†ã«ç™ºè¦‹
1
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
New OpenSSL Flaws Aren't a Heartbleed Repeat
{{#tags}}- {{label}}
{{/tags}}