The OpenSSL’s ChangeCipherSpec a.k.a CCS injection attack is a major vulnerability attack through which an attacker can perform a man-in-the-middle attack to sniff encrypted data between the server and the clients. The attacker can decrypt the sniffed data to leak sensitive information about the server. The attacker can decrypt the sniffed data because CCS injection attack forces the victim application to use weak encryption keys to encrypt the communication. The Change cipher spec protocol is used to alter the secret writing sent between the server and the client. The CCS protocol is commonly used as a part of the handshake method to change to cruciate key secret writing. The CCS protocol is a single message that tells the peer that the sender needs to alter a brand new set of keys, that are then created from info changed by the handshake protocol. There are many web applications that do not properly restrict processing of ChangeCipherSpec messages. This negligence might allow a man-in-the-middle attackers to trigger a CCS injection using a zero-length master key in vulnerable OpenSSL-to-OpenSSL communication, and consequently, hijack sessions or obtain sensitive information.
The impact of this vulnerability include:-
Beagle recommends the following:-
OpenSSL 1.0.1 DTLS should be upgraded to 1.0.1h.
OpenSSL 1.0.0 DTLS should be upgraded to 1.0.0m.
OpenSSL 0.9.8 DTLS should be upgraded to 0.9.8za.