Another OpenSSL vulnerability has been detected on Thursday that allows malicious intermediate nodes to intercept encrypted data and decrypt it. This bug is believed to have existed since the first release of OpenSSL.

According to Japanese researcher Masashi Kikuchi or Lepidum, the vulnerability is in OpenSSL’s ChangeCipherSpec processing. It forces SSL clients to use weak keys which are exposed to the malicious nodes.

This bug affects OpenSSL 1.0.1 through 1.0.1g, OpenSSL 1.0.0 through 1.0.0l and all versions before OpenSSL 0.9.8y.

This allow attackers to eavesdrop and make falsification when both the server and client are vulnerable. Attackers will be able to hijack the authenticated session of the client is vulnerable.

Read the rest of the news here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html