SSL Pulse: 49% vulnerable to CVE-2014-0224, 14% exploitable

Last week (on June 5th), OpenSSL published an
advisory
detailing a number of serious problems. The
CVE-2014-0224 vulnerability will be the most problematic for most
deployments because it
can be exploited via an active network (man in the middle) attack.

This vulnerability allows an active network attacker to inject
ChangeCipherSpec (CCS) messages to both sides of a connection and force them
to fix their keys before all key material is available. Weak keys are
negotiated as a result. If you’re interested in the details, Adam Langley
published a good technical
analysis
.

Although virtually all versions of OpenSSL are vulnerable, this problem
is exploitable only if (1) both sides use OpenSSL and (2) the server uses
a vulnerable version of OpenSSL from the 1.0.1 branch.

The good news is that most browsers don’t rely on OpenSSL, which means
that most browser users won’t be affected. However, Android browsers do use
OpenSSL and are vulnerable to this attack. Additionally, many command-line
and similar programmatic tools use OpenSSL. A particularly interesting
target will be various VPN products, provided they are based on OpenSSL
(like, for example, OpenVPN).

Over at SSL Labs, we’ve been testing a remote check for CVE-2014-0224
since Friday. Satisfied that the test is identifying vulnerable hosts
correctly, yesterday we ran a scan against the SSL Pulse dataset. The
results are that about 49% servers are vulnerable. About 14% (of
the total number) are exploitable
because they’re running a newer version of OpenSSL. The rest are
probably not exploitable, but should be upgraded because it’s
possible that there are other ways to exploit this problem.

If you’d like to test your servers, the latest version of SSL
Labs
incorporates a check for CVE-2014-0224.