The CCS Bug has been Discovered, but it had been present for over a Decade(!)

We just went through a major Heartbleed situation and here were are again with another bug, called the CCS Bug. This bug is similar to the Heartbleed bug in that it too originates in OpenSSL.

How was it discovered?

The accidental discovery of a decade old bug was made by Japanese security researcher Masashi Kikuchi of Lepidum who found this bug while working on TLS implementation.

What is the CCS Bug?

OpenSSL’s ChangeCipherSpec aka CCS Injection Vulnerability, allows attackers who are eavesdropping on a network via web browsing, E Mail and VPN to ciphon off encrypted data during the “handshake” that is used for developing secure connections. When the keys are exchanged between the server and the client, the attacker can potentially exploit the bug and sniff out your private keys, rendering your whole server-client communication unsecure.

The bug causes tampering with and exploits on contents and authentication information over encrypted communication .

In the words of Lipidum:

“Attackers can eavesdrop and make falsifications on your communication when both of a server and a client are vulnerable, and the OpenSSL version of the server is 1.0.1 or higher. Attackers can hijack the authenticated session, if the server is vulnerable (even if the client is not vulnerable).”

Am I affected? Will an exploitation of this Bug leave traces?

It affects all the encryption algorithms. If an attacker exploits this bug, no traces of intrusion will be detected, so we don’t know how many times this bug has been exploited in the decade it has existed.

The affected versions are::

  • OpenSSL 1.0.1 through 1.0.1g
  • OpenSSL 1.0.0 through 1.0.0l
  • all versions before OpenSSL 0.9.8y

The root cause is related to Open SSL implementation

Good news is that the major linux distributions such as Ubuntu, Debian , FreeBSD ,CentOS , Red Hat 5 and Red Hat 6 have provided the fixes, so update as fast as you can.

Further Reading: Lepidum


What are your Thoughts? Speak your Mind!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s