Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2014-0224

Description

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

POC

Reference

- http://seclists.org/fulldisclosure/2014/Dec/23

- http://www-01.ibm.com/support/docview.wss?uid=isg400001841

- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095755

- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095756

- http://www.ibm.com/support/docview.wss?uid=swg21676356

- http://www.kb.cert.org/vuls/id/978508

- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

- http://www.tenable.com/blog/nessus-527-and-pvs-403-are-available-for-download

- http://www.vmware.com/security/advisories/VMSA-2014-0006.html

- http://www.vmware.com/security/advisories/VMSA-2014-0012.html

- https://access.redhat.com/site/blogs/766093/posts/908133

- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05301946

- https://kc.mcafee.com/corporate/index?page=content&id=SB10075

Github

- https://github.com/00xNetrunner/Shodan_Cheet-Sheet

- https://github.com/0nopnop/qualysparser

- https://github.com/1N3/MassBleed

- https://github.com/84KaliPleXon3/a2sv

- https://github.com/AKApul/03-sysadmin-09-security

- https://github.com/ARPSyndicate/cvemon

- https://github.com/AidanBurkeCyb/Network-Vulnerability-Assessment-with-Nmap

- https://github.com/Appyhigh/android-best-practices

- https://github.com/Artem-Salnikov/devops-netology

- https://github.com/Artem-Tvr/sysadmin-09-security

- https://github.com/BSolarV/cvedetails-summary

- https://github.com/CertifiedCEH/DB

- https://github.com/DButter/whitehat_public

- https://github.com/DeepKariaX/CipherAsh-SSL-Scanner

- https://github.com/Dom-Techblue/Relatorio_pentest

- https://github.com/EvgeniyaBalanyuk/attacks

- https://github.com/F4RM0X/script_a2sv

- https://github.com/H4CK3RT3CH/a2sv

- https://github.com/Justic-D/Dev_net_home_1

- https://github.com/Kapotov/3.9.1

- https://github.com/KirthiNadesn/Penetration_Testing_Metasploitable2

- https://github.com/MrE-Fog/a2sv

- https://github.com/Mre11i0t/a2sv

- https://github.com/NikolayAntipov/DB_13-01

- https://github.com/PS-RANASINGHE/Crypto-Ex---7

- https://github.com/PotterXma/linux-deployment-standard

- https://github.com/RClueX/Hackerone-Reports

- https://github.com/SSLyze410-SSLGrader-wCipherSuite-info/ssl-grader

- https://github.com/SSLyze410-SSLGrader-wCipherSuite-info/ssl-wrapping-grader

- https://github.com/Samaritin/OSINT

- https://github.com/TheRipperJhon/a2sv

- https://github.com/Tripwire/OpenSSL-CCS-Inject-Test

- https://github.com/Vainoord/devops-netology

- https://github.com/Valdem88/dev-17_ib-yakovlev_vs

- https://github.com/Vamsi212/Internship-Task1

- https://github.com/Vladislav-Pugachev/netology-DevOps-dz_-14

- https://github.com/Wanderwille/13.01

- https://github.com/WiktorMysz/devops-netology

- https://github.com/alexandrburyakov/Rep2

- https://github.com/alexgro1982/devops-netology

- https://github.com/anthophilee/A2SV--SSL-VUL-Scan

- https://github.com/arthepsy/cve-tests

- https://github.com/bysart/devops-netology

- https://github.com/capacitor-community/android-security-provider

- https://github.com/chihyeonwon/OpenSSL_DTLS_CVE_2014_0221

- https://github.com/chnzzh/OpenSSL-CVE-lib

- https://github.com/cipher0411/Penetration-Test-Report-The-BodgeIt-Store-Web-Application

- https://github.com/clic-kbait/A2SV--SSL-VUL-Scan

- https://github.com/clino-mania/A2SV--SSL-VUL-Scan

- https://github.com/coldorb0/SSL-Scanner

- https://github.com/cyberdeception/deepdig

- https://github.com/darksagae/sslyze

- https://github.com/dmitrii1312/03-sysadmin-09

- https://github.com/droptables/ccs-eval

- https://github.com/dtarnawsky/capacitor-plugin-security-provider

- https://github.com/epicpewpew/qualysparser

- https://github.com/fireorb/SSL-Scanner

- https://github.com/fireorb/sslscanner

- https://github.com/geon071/netolofy_12

- https://github.com/giusepperuggiero96/Network-Security-2021

- https://github.com/hahwul/a2sv

- https://github.com/hibahmad30/NmapAnalysis

- https://github.com/hrbrmstr/internetdb

- https://github.com/iSECPartners/ccs-testing-tool

- https://github.com/ilya-starchikov/devops-netology

- https://github.com/imhunterand/hackerone-publicy-disclosed

- https://github.com/iph0n3/CVE-2014-0224

- https://github.com/kernelfucker/sslv

- https://github.com/korotkov-dmitry/03-sysadmin-09-security

- https://github.com/krabelize/openbsd-httpd-tls-perfect-ssllabs-score

- https://github.com/lithekevin/Threat-TLS

- https://github.com/malavathpradeepkumar/task_01

- https://github.com/mr-won/OpenSSL_DTLS_CVE_2014_0221

- https://github.com/nidhi7598/OPENSSL_1.0.1g_CVE-2014-0224

- https://github.com/niharika2810/android-development-best-practices

- https://github.com/nikolay480/devops-netology

- https://github.com/nkiselyov/devops-netology

- https://github.com/odolezal/D-Link-DIR-655

- https://github.com/pashicop/3.9_1

- https://github.com/r3p3r/1N3-MassBleed

- https://github.com/secretnonempty/CVE-2014-0224

- https://github.com/ssllabs/openssl-ccs-cve-2014-0224

- https://github.com/stanmay77/security

- https://github.com/takuzoo3868/laputa

- https://github.com/tpdlshdmlrkfmcla/OpenSSL_DTLS_CVE_2014_0221

- https://github.com/user20252228/OpenSSL_DTLS_CVE_2014_0221

- https://github.com/vitaliivakhr/NETOLOGY

- https://github.com/vshaliii/Hacklab-Vulnix

- https://github.com/waseemasmaeel/A2sv_Tools

- https://github.com/yellownine/netology-DevOps

- https://github.com/yurkao/python-ssl-deprecated