Available Exploits 

• OpenSSL Server-Side ChangeCipherSpec Injection Scanner

Description

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

References

• AMAZON-ALAS-2014-351
• CERT-VN-978508
• CVE-2014-0224
• DISA_SEVERITY-Category I
• DISA_VMSKEY-V0052625
• DISA_VMSKEY-V0052641
• DISA_VMSKEY-V0052893
• DISA_VMSKEY-V0052901
• DISA_VMSKEY-V0052907
• DISA_VMSKEY-V0052909
• DISA_VMSKEY-V0052911
• DISA_VMSKEY-V0053319
• DISA_VMSKEY-V0053501
• DISA_VMSKEY-V0053505
• DISA_VMSKEY-V0053507
• DISA_VMSKEY-V0060737
• IAVM-2014-A-0115
• IAVM-2014-B-0077
• IAVM-2014-B-0079
• IAVM-2014-B-0084
• IAVM-2014-B-0088
• IAVM-2014-B-0089
• IAVM-2014-B-0091
• IAVM-2014-B-0092
• IAVM-2014-B-0097
• IAVM-2014-B-0101
• IAVM-2014-B-0102
• IAVM-2015-A-0113
• REDHAT-RHSA-2014:0624
• REDHAT-RHSA-2014:0626
• REDHAT-RHSA-2014:0627
• REDHAT-RHSA-2014:0630
• REDHAT-RHSA-2014:0631
• REDHAT-RHSA-2014:0632
• REDHAT-RHSA-2014:0633
• REDHAT-RHSA-2014:0680

Solution

Related Vulnerabilities

• RHSA-2014:0679: openssl security update
• VMSA-2014-0006: OpenSSL update for multiple products. (CVE-2014-0224)
• ELSA-2014-1653 Moderate: Oracle Linux openssl security update
• ELSA-2014-0626 Important: Oracle Linux openssl097a and openssl098e security update
• Cisco NX-OS: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products (Multiple CVEs)
• Oracle Solaris 11: CVE-2014-0224: Vulnerability in OpenSSL, WAN Boot
• OS X update for OpenSSL (CVE-2014-0224)
• RHSA-2014:0627: openssl security update
• ELSA-2014-0679 Important: Oracle Linux openssl security update
• FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-14:14.openssl) (Multiple CVEs)
• Juniper Junos OS: SSL/TLS MITM vulnerability (JSA10629) (CVE-2014-0224)
• RHSA-2014:0625: openssl security update
• Sun Patch: SunOS 5.10: wanboot patch
• Alpine Linux: CVE-2014-0224: openssl multiple issues
• DSA-2950-1 openssl -- security update
• HP-UX: CVE-2014-0224: Remote Unauthorized Access or Disclosure of Information
• OS X update for Note: (CVE-2014-0224)
• RHSA-2014:0626: openssl097a and openssl098e security update
• Sun Patch: SunOS 5.10_x86: openssl patch
• VMware Workstation: OpenSSL update for multiple products (VMSA-2014-0006) (CVE-2014-0224)
• Gentoo Linux: CVE-2014-0224: OpenSSL: Multiple vulnerabilities
• Amazon Linux AMI: Security patch for openssl098e (ALAS-2014-350) (CVE-2014-0224)
• RHSA-2014:0629: rhev-hypervisor6 security update
• Cisco SAN-OS: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products (Multiple CVEs)
• ELSA-2014-0625 Important: Oracle Linux openssl security update
• ELSA-2014-3040 Important: Oracle Linux openssl security update
• ELSA-2014-1652 Important: Oracle Linux openssl security update
• ELSA-2014-1053 Moderate: Oracle Linux openssl security update
• IBM AIX: openssl_advisory9 (CVE-2014-0224): Vulnerabilities in OpenSSL affects AIX
• ELSA-2014-0624 Important: Oracle Linux openssl security update
• Sun Patch: SunOS 5.10: openssl patch
• Amazon Linux AMI: Security patch for openssl (ALAS-2014-349) (multiple CVEs)
• VMware Fusion: OpenSSL update for multiple products (VMSA-2014-0006) (CVE-2014-0224)
• RHSA-2014:0624: openssl security update
• USN-2232-1: OpenSSL vulnerabilities
• ELSA-2014-0680 Important: Oracle Linux openssl098e security update
• RHSA-2014:0680: openssl098e security update
• OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)
• VMware Player: OpenSSL update for multiple products (VMSA-2014-0006) (CVE-2014-0224)
• Cisco IOS: cisco-sa-20140605-openssl: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
• Sun Patch: SunOS 5.9: wanboot and pkg utilities Patch