Reset Search
 

 

Article

KB29483 - Tools checking for vulnerability to CVE-2014-0224 show false positives on 7.2, 7.3

« Go Back

Information

 
Last Modified Date8/1/2015 7:45 PM
Synopsis

Why do we list these versions as not vulnerable; but security scans flag them as vulnerable?

Problem or Goal
SA40006 - Details on fixes for SSL/TLS MITM vulnerability (CVE-2014-0224) lists PCS 7.2 and 7.3 as not vulnerable to  SSL/TLS MITM vulnerability CVE-2014-0224; but a scan by security software flags 7.2Rx and / or 7.3Rx as vulnerable.
Cause
A wave of tools have been developed that will test for vulnerability to CVE-2014-0224 by changing the cipher specification before the initial TCP handshake is finished. If this is rejected, the tools list the PCS as safe. If not, it is listed as vulnerable.
Solution
The attack (for CVE-2014-0224) can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.

7.2 and 7.3 are using OpenSSL based on versions earlier than 1.0.1 so the vulnerability of changing the cipher spec will not be exploitable on the server side. The tools used to check for this are checking for the kind of patch that was used to resolve the issue in later versions. Since 7.2 and 7.3 are not patched, the tools do not detect the behavior of the patch and list the PCS as vulnerable even though the attack is not possible to exploit. Hence it is a false positive.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255