OpenSSL Hole Fixed in Android Update

Monday, June 23, 2014 @ 04:06 PM gHale


The fix is in for the latest security flaw in OpenSSL on Android with the fresh release of the 4.4.4 KitKat (KTU84P) update, which will roll out to Nexus devices.

The fix focuses mostly on addressing the OpenSSL ChangeCipherSpec (CCS) Injection vulnerability in the crypto library, identified as CVE-2014-0224, said Sascha Prüter, engineering program manager at Android.

RELATED STORIES
Android ASLR Weakness Found
Linux Vulnerability could Hit Androids
Java to Android Ransomware Rescue
New Exploit Kit Delivering Ransomware

The update fixed other security-related flaws, although not as severe as this one, as the changelog for KTU84P shows. The log lists CTS (Compatibility Test Suite) for the CCS flaw and a fix of a concurrency bug in OpenSSLHeartbleedTest; no reference to Towelroot.

CVE-2014-0224 released at the beginning of June which could allow an attacker to force the negotiation of weak encryption keys between a client and a server by using a man-in-the-middle attack. Both systems have to be vulnerable for the exploitation to be successful.

A test scan run by Qualys last week showed almost half of the verified servers were vulnerable to this weakness and 14 percent of them were exploitable.

The current patch can end up over Android 4.4.3 KitKat on Nexus 4, Nexus 5, Nexus 7 (2013), and Nexus 10 devices. Factory images are already available for those who do not want to wait for the OTA update.



Leave a Reply

You must be logged in to post a comment.