Tripwire has released a free Python script that’s designed to help organizations determine if their servers are affected by the recently patched Man-in-the Middle (MitM) vulnerability in OpenSSL.
The ChangeCipherSpec (CCS) injection vulnerability (CVE-2014-0224) is said to have existed for more than 15 years and should be treated seriously. However, the vulnerability is not as dangerous as the Heartbleed bug, as an attacker needs to be able to position himself between the client and the server in order to decrypt or modify traffic.
The OpenSSL CSS inject test script from Tripwire can detect the existence of the OpenSSL security hole on servers running a wide range of configurations.
“It attempts to negotiate using each affected protocol version (SSLv3, TLSv1, TLSv1.1, and TLSv1.2) advertising a comprehensive set of ciphers,” Tripwire’s Craig Young explained in a blog post.
“This script is designed to recognize when an SSL server does not actively reject an early CCS message. This behavior is indicative of whether an OpenSSL library has been patched to enforce the proper message order,” Young noted.
Experts have highlighted the fact that servers running a version of OpenSSL prior to 1.0.1 are unlikely to be exploited, but users should ensure their systems are patched just to be safe.
The OpenSSL CCS Inject Test Script is available for download on Tripwire’s website.