A scan of the Alexa Top 10,000 sites by High-Tech Bridge Security revealedthat despite the critical alert the OpenSSL project put out regarding this month's security update, many companies have still not patched their servers and remain vulnerable to dangerous HTTPS MitM (Man-in-the-Middle) attacks.
For the past year, the OpenSSL project has really stepped up its game in terms of security fixes, issuing new versions with hardened security on a monthly basis.
While most of the bugs are medium priority, once in a while, the project also puts out critical and high severity issues, which any system administrator should have the common sense to apply as soon as they're available for download.
Latest OpenSSL flaw allows HTTPS MitM attacks
The latest OpenSSL bug, CVE-2016-2107, patched at the start of the month of May 2016, is a Padding Oracle attack that affects only encrypted traffic that uses AES CBC ciphers, and when the server counterpart supports AES-NI (Advanced Encryption Standard New Instructions).
If these conditions are met, the attacker can launch a Web exploit and interpose himself between the server and the client, in a classic MitM attack that allows him to sniff HTTPS traffic and extract its content.
Because the AES-CBC cipher is considered the strongest cipher available for TLS 1.0, TLS 1.1, and also recommended by NIST guidelines and required by the TLS 1.2 RFC, the chances are that a huge chunk of HTTPS traffic is exposed to the CVE-2016-2108 vulnerability.
37.42% have not applied the latest OpenSSL patch.
Full Article: Companies Are Slow to Patch Latest OpenSSL Flaw
For the past year, the OpenSSL project has really stepped up its game in terms of security fixes, issuing new versions with hardened security on a monthly basis.
While most of the bugs are medium priority, once in a while, the project also puts out critical and high severity issues, which any system administrator should have the common sense to apply as soon as they're available for download.
Latest OpenSSL flaw allows HTTPS MitM attacks
The latest OpenSSL bug, CVE-2016-2107, patched at the start of the month of May 2016, is a Padding Oracle attack that affects only encrypted traffic that uses AES CBC ciphers, and when the server counterpart supports AES-NI (Advanced Encryption Standard New Instructions).
If these conditions are met, the attacker can launch a Web exploit and interpose himself between the server and the client, in a classic MitM attack that allows him to sniff HTTPS traffic and extract its content.
Because the AES-CBC cipher is considered the strongest cipher available for TLS 1.0, TLS 1.1, and also recommended by NIST guidelines and required by the TLS 1.2 RFC, the chances are that a huge chunk of HTTPS traffic is exposed to the CVE-2016-2108 vulnerability.
37.42% have not applied the latest OpenSSL patch.
Full Article: Companies Are Slow to Patch Latest OpenSSL Flaw
