Resolving CCS Injection Issue with Open SSL

Resolving the CSS Injection Issue with Open SSL

The OpenSSL CCS Injection is a man-in-the-middle attack where it requires an active attacker. An attacker can potentially read and manipulate traffic that is being passed between a client and server. This is possible if the attacker is able to downgrade an encrypted connection to a predictable key.

Affected Users

The exploit requires that both the client and server are vulnerable to CCS Injection. Any user that has their client updated to the latest OpenSSL or any OpenSSL version that has fixed the issue is not vulnerable. Any user that has an open encrypted connection to a server with the latest OpenSSL or any OpenSSL version that has fixed the issue is not vulnerable.

Severity

Attackers potentially have the ability to read and manipulate encrypted traffic.

Resolution

The versions listed here have been tested to be secure against the OpenSSL CCS Injection vulnerability.

1. Log onto the KRMC Server using administrator credentials
2. Click on one of the links below and download either of the following file versions to the computer with the KRMC Server:

• Win32 OpenSSL v0.9.8za (Recommended)
• Win32 OpenSSL v1.0.1h

3.  Launch the downloaded file.

Note: The installer may warn you that you need to install the Microsoft Visual C++ 2008 4, Redistributables. Select OK

4.  Press Next
5.  Select I accept the agreement
6.  Press Next
7.  Press Next for the destination location
8.  If it tells you the folder already exists, press Yes
9.  Press Next for the Start Menu Folder
10. Press Next for the additional tasks.
11. Press Install
12. Press Finish