The application was found to be using a weak version of OpenSSL, making it vulnerable to the Change Cipher Spec vulnerability. Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the SSL/TLS handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the "CCS Injection" vulnerability. For additional details, refer to CVE-2014-0224.
Steps to Reproduce
This test checks to see if your application is vulnerable to the Change Cipher Spec vulnerability by checking the versions of the third-party library OpenSSL being used.
Business Impact
The app is using an out of date way to communicate which is not secure.
A malicious actor could remotely see and modify information coming to and from the app, potentially from multiple users at once.
Remediation Resources
Upgrade your OpenSSL library to a version that addresses this specific vulnerability, such as 1.0.1h, 1.0.0m, or 0.9.8za, which were confirmed to fix the vulnerability.
Finding Description
The application was found to be using a weak version of OpenSSL, making it vulnerable to the Change Cipher Spec vulnerability. Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the SSL/TLS handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the "CCS Injection" vulnerability. For additional details, refer to CVE-2014-0224.
Steps to Reproduce
This test checks to see if your application is vulnerable to the Change Cipher Spec vulnerability by checking the versions of the third-party library OpenSSL being used.
Business Impact
The app is using an out of date way to communicate which is not secure. A malicious actor could remotely see and modify information coming to and from the app, potentially from multiple users at once.
Remediation Resources
Upgrade your OpenSSL library to a version that addresses this specific vulnerability, such as 1.0.1h, 1.0.0m, or 0.9.8za, which were confirmed to fix the vulnerability.
Risk and Regulatory Information
Severity: high CVSS: 7.3
Application
See more detail in the NowSecure Report