http://arstechnica.com/security/2014/06/still-reeling-from-heartbleed-openssl-suffers-from-crypto-bypass-flaw/ By Dan Goodin Ars Technica June 5, 2014 A researcher has uncovered another severe vulnerability in the OpenSSL cryptographic library. It allows attackers to decrypt and modify Web, e-mail, and virtual private network traffic protected by the transport layer security (TLS) protocol, the Internet’s most widely used method for encrypting traffic traveling between end users and servers. The TLS bypass exploits work only when traffic is sent or received by a server running OpenSSL 1.0.1 and 1.0.2-beta1, maintainers of the open-source library warned in an advisory published Thursday. The advisory went on to say that servers running a version earlier than 1.0.1 should update as a precaution. The vulnerability has existed since the first release of OpenSSL, some 16 years ago. Library updates are available on the front page of the OpenSSL website. People who administer servers running OpenSSL should update as soon as possible. The underlying vulnerability, formally cataloged as CVE-2014-0224, resides in the ChangeCipherSpec processing, according to an overview published Thursday by Lepidum, the software developer that discovered the flaw and reported it privately to OpenSSL. It makes it possible for attackers who can monitor a connection between an end user and server to force weak cryptographic keys on client devices. Attackers can then exploit those keys to decrypt the traffic or even modify the data before sending it to its intended destination. “OpenSSL’s ChangeCipherSpec processing has a serious vulnerability,” the Lepidum advisory stated. “This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes. There are risks of tampering with the exploits on contents and authentication information over encrypted communication via web browsing, e-mail and VPN, when the software uses the affected version of OpenSSL.” Client devices are vulnerable no matter what older version of OpenSSL they are running. As stated earlier, servers are vulnerable when running 1.0.1 and 1.0.2-bata1, according to an accompanying OpenSSL advisory. The attacks are possible only when both sides are running a vulnerable OpenSSL version. […]