The FREAK bug in TLS/SSL

[CiscoX]

Hi RMerlin

Are you planing to update the OpenSSL in your firmware?

"The bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser's address bar.

The bug is known to exist in OpenSSL's TLS implementation (before version 1.0.1k), in Apple's SecureTransport, and in the Schannel TLS library that is part of Microsoft Windows."

https://nakedsecurity.sophos.com/2015/03/04/the-freak-bug-in-tlsssl-what-you-need-to-know/

 

[RMerlin]

Hi RMerlin

Are you planing to update the OpenSSL in your firmware?

"The bug affects TLS/SSL, the security protocol that puts the S into HTTPS and is responsible for the padlock in your browser's address bar.

The bug is known to exist in OpenSSL's TLS implementation (before version 1.0.1k), in Apple's SecureTransport, and in the Schannel TLS library that is part of Microsoft Windows."

https://nakedsecurity.sophos.com/2015/03/04/the-freak-bug-in-tlsssl-what-you-need-to-know/

I'm already using the latest OpenSSL release, there is nothing for me to update.

 

[john9527]

Merlin's releases starting with 378.50 Beta 1 and my fork release starting with Update-07 both use OpenSSL 1.0.0p...it's covered.

From the CVE database for CVE-2015-0204
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.

 

[CiscoX]

Thanks RMerlin & john9527