We just went through a major Heartbleed situation and here were are again with another bug, called the CCS Bug. This bug is similar to the Heartbleed bug in that it too originates in OpenSSL.
How was it discovered?
The accidental discovery of a decade old bug was made by Japanese security researcher Masashi Kikuchi of Lepidum who found this bug while working on TLS implementation.
What is the CCS Bug?
OpenSSL’s ChangeCipherSpec aka CCS Injection Vulnerability, allows attackers who are eavesdropping on a network via web browsing, E Mail and VPN to ciphon off encrypted data during the “handshake” that is used for developing secure connections. When the keys are exchanged between the server and the client, the attacker can potentially exploit the bug and sniff out your private keys, rendering your whole server-client communication unsecure.
The bug causes tampering with and exploits on contents and authentication information over encrypted communication .
In the words of Lipidum:
“Attackers can eavesdrop and make falsifications on your communication when both of a server and a client are vulnerable, and the OpenSSL version of the server is 1.0.1 or higher. Attackers can hijack the authenticated session, if the server is vulnerable (even if the client is not vulnerable).”
Am I affected? Will an exploitation of this Bug leave traces?
It affects all the encryption algorithms. If an attacker exploits this bug, no traces of intrusion will be detected, so we don’t know how many times this bug has been exploited in the decade it has existed.
The affected versions are::
- OpenSSL 1.0.1 through 1.0.1g
- OpenSSL 1.0.0 through 1.0.0l
- all versions before OpenSSL 0.9.8y
The root cause is related to Open SSL implementation
Further Reading: Lepidum