Thursday, March 5, 2015

CVE-2015-0204 - "FREAK" Openssl vulnerability

OpenSSL clients accepted EXPORT-grade (insecure) keys even when the client had not initially asked for them. This could be exploited using a man-in-the-middle attack, which would intercept the client's initial request for a standard key and ask the server for an EXPORT-grade key. The client would then accept the weak key, allowing the attacker to factor it and decrypt communication between the client and the server.

links:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
https://access.redhat.com/articles/1369543

Amazon as released security bulletin that explains how to mitigate the issue in ELB load balancer if ELB is the SSL termination point


First check the openssl version installed on the OS by checking the changelog for a fix, e.g.

$sudo rpm -qa openssl --changelog |grep CVE-2015-0204
- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export

and check if your ELB is using the default ELB security policy called "ELBSecurityPolicy-2015-02". This will disable the below two ciphers:-


ECDHE-RSA-RC4-SHA
RC4-SHA

No comments:

Post a Comment