Processing of Change Cipher Spec

By
Nash N Sulthan
Published on
19 Jun 2018
1 min read
Vulnerability
SSL

The OpenSSL’s ChangeCipherSpec a.k.a CCS injection attack is a major vulnerability attack through which an attacker can perform a man-in-the-middle attack to sniff encrypted data between the server and the clients. The attacker can decrypt the sniffed data to leak sensitive information about the server. The attacker can decrypt the sniffed data because CCS injection attack forces the victim application to use weak encryption keys to encrypt the communication. The Change cipher spec protocol is used to alter the secret writing sent between the server and the client. The CCS protocol is commonly used as a part of the handshake method to change to cruciate key secret writing. The CCS protocol is a single message that tells the peer that the sender needs to alter a brand new set of keys, that are then created from info changed by the handshake protocol. There are many web applications that do not properly restrict processing of ChangeCipherSpec messages. This negligence might allow a man-in-the-middle attackers to trigger a CCS injection using a zero-length master key in vulnerable OpenSSL-to-OpenSSL communication, and consequently, hijack sessions or obtain sensitive information.

Impact

The impact of this vulnerability include:-

  • A man-in-the-middle attack is most likely possible due to this vulnerability.
  • Information Disclosure: Remote attackers can gain sensitive information from vulnerable systems.

Mitigation / Precaution

Beagle recommends the following:-

  • Not to use a vulnerable version of OpenSSL(affected are versions 1.0.1 and 1.0.2-beta1)
  • Patch OpenSSL version. The patch is available in https://www.openssl.org/.
  • The following OpenSSL versions should be updated:-
    • OpenSSL 1.0.1 DTLS should be upgraded to 1.0.1h.

    • OpenSSL 1.0.0 DTLS should be upgraded to 1.0.0m.

    • OpenSSL 0.9.8 DTLS should be upgraded to 0.9.8za.

  • If the application is built on the following vender’s version of OpenSSL, check the patch in their respective site:-
    • CentOS
    • Debian
    • Gentoo
    • RedHat
    • Ubuntu

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days