#VU2950 Man-in-the-Middle attack in OpenSSL - CVE-2014-0224


| Updated: 2018-09-14

Vulnerability identifier: #VU2950

Vulnerability risk: Medium

CVSSv4.0: 9.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2014-0224

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description
The vulnerability allows a remote attacker to decrypt encrypted connections.

The vulnerability exists due to an error in OpenSSL. A remote attacker with ability to intercept network traffic can decrypt SSL connection and gain access to sensitive data.

Mitigation
Update to version 0.9.8za, 1.0.0m or 1.0.1h.

Vulnerable software versions

OpenSSL: 0.9.8z - 0.9.8p, 1.0.0c - 1.0.0, 1.0.1g - 1.0.1

External links
https://www.openssl.org/news/secadv/20140605.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.


Latest bulletins with this vulnerability


Man-in-the-Middle attack in IBM XIV Gen3 Storage System
Man-in-the-Middle attack in HP Executive Scorecard
Man-in-the-Middle attack in HP Integrity SD2 CB900s i2 and i4
Multiple vulnerabilities in HP OneView
Multiple vulnerabilities in IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems
Multiple vulnerabilities in IBM FlashSystem 840
Man-in-the-Middle attack in IBM XIV Gen2
Ubuntu update for OpenSSL
Ubuntu update for OpenSSL
Ubuntu update for OpenSSL