We currently have Serv-U version 10.5 on a server. We are unable to get support from Solar Winds, and was referred to this site for assistance.
Has anyone had this vulnerability appear in their security scans? If so, what is the solution? I
This is the information that was forwarded to me, but I am unsure how to test to see if this is in fact a vulnerability for us.
Details:
74326 (1) - OpenSSL 'ChangeCipherSpec' MiTM Vulnerability
Synopsis
The remote host is affected
by a vulnerability that could allow sensitive data to be decrypted.
Description
The OpenSSL service on the
remote host is vulnerable to a man-in-the-middle (MiTM) attack, based on its
response to two consecutive 'ChangeCipherSpec' messages during the incorrect
phase of an SSL/TLS handshake.
This flaw could allow a MiTM attacker to decrypt or
forge SSL messages by telling the service to begin encrypted communications
before key material has been exchanged, which causes predictable keys to be
used to secure future traffic.
Note that Nessus has only tested for an SSL/TLS MiTM
vulnerability (CVE-2014-0224). However, Nessus has inferred that the OpenSSL
service on the remote host is also affected by six additional vulnerabilities
that were disclosed in OpenSSL's June 5th, 2014 security advisory :
- An error exists in the function 'ssl3_read_bytes'
that could allow data to be injected into other sessions
or allow denial of service attacks. Note this issue is only exploitable if
'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2010-5298)
- An error exists related to the implementation of the
Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce
disclosure via the 'FLUSH+RELOAD'
cache side-channel attack. (CVE-2014-0076)
- A buffer overflow error exists related to invalid DTLS
fragment handling that could lead to execution of arbitrary code. Note this
issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)
- An error exists in the function 'do_ssl3_write' that
could allow a null pointer to be dereferenced leading to denial of service
attacks. Note this issue is exploitable only if 'SSL_MODE_RELEASE_BUFFERS' is
enabled. (CVE-2014-0198)
- An error exists related to DTLS handshake handling
that could lead to denial of service attacks. Note this issue only affects
OpenSSL when used as a DTLS client.
(CVE-2014-0221)
- An unspecified error exists related to anonymous ECDH
ciphersuites that could allow denial of service attacks. Note this issue only
affects OpenSSL TLS clients. (CVE-2014-3470)
OpenSSL did not release individual patches for these
vulnerabilities, instead they were all patched under a single version release.
Note that the service will remain vulnerable after patching until the service
or host is restarted.
See Also
http://www.nessus.org/u?d5709faa |
https://www.imperialviolet.org/2014/06/05/earlyccs.html |
https://www.openssl.org/news/secadv_20140605.txt |
Solution
OpenSSL 0.9.8 SSL/TLS users
(client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users
(client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users
(client and/or server) should upgrade to 1.0.1h.
Risk Factor
High
CVSS Base Score
- 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C) - 8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
STIG Severity
I