cve/2014/CVE-2014-0224.md

### [CVE-2014-0224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

### POC

#### Reference
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www-01.ibm.com/support/docview.wss?uid=isg400001841
- http://www.kb.cert.org/vuls/id/978508
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
- http://www.tenable.com/blog/nessus-527-and-pvs-403-are-available-for-download
- http://www.vmware.com/security/advisories/VMSA-2014-0006.html
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10075

#### Github
- https://github.com/00xNetrunner/Shodan_Cheet-Sheet
- https://github.com/0nopnop/qualysparser
- https://github.com/1N3/MassBleed
- https://github.com/84KaliPleXon3/a2sv
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Appyhigh/android-best-practices
- https://github.com/Artem-Salnikov/devops-netology
- https://github.com/Artem-Tvr/sysadmin-09-security
- https://github.com/BSolarV/cvedetails-summary
- https://github.com/CertifiedCEH/DB
- https://github.com/DButter/whitehat_public
- https://github.com/F4RM0X/script_a2sv
- https://github.com/H4CK3RT3CH/a2sv
- https://github.com/Justic-D/Dev_net_home_1
- https://github.com/Kapotov/3.9.1
- https://github.com/MrE-Fog/a2sv
- https://github.com/Mre11i0t/a2sv
- https://github.com/NikolayAntipov/DB_13-01
- https://github.com/PotterXma/linux-deployment-standard
- https://github.com/RClueX/Hackerone-Reports
- https://github.com/SSLyze410-SSLGrader-wCipherSuite-info/ssl-grader
- https://github.com/SSLyze410-SSLGrader-wCipherSuite-info/ssl-wrapping-grader
- https://github.com/TheRipperJhon/a2sv
- https://github.com/Tripwire/OpenSSL-CCS-Inject-Test
- https://github.com/Vainoord/devops-netology
- https://github.com/Valdem88/dev-17_ib-yakovlev_vs
- https://github.com/Vladislav-Pugachev/netology-DevOps-dz_-14
- https://github.com/Wanderwille/13.01
- https://github.com/WiktorMysz/devops-netology
- https://github.com/alexandrburyakov/Rep2
- https://github.com/alexgro1982/devops-netology
- https://github.com/anthophilee/A2SV--SSL-VUL-Scan
- https://github.com/arthepsy/cve-tests
- https://github.com/bysart/devops-netology
- https://github.com/capacitor-community/android-security-provider
- https://github.com/chnzzh/OpenSSL-CVE-lib
- https://github.com/clic-kbait/A2SV--SSL-VUL-Scan
- https://github.com/clino-mania/A2SV--SSL-VUL-Scan
- https://github.com/cyberdeception/deepdig
- https://github.com/dmitrii1312/03-sysadmin-09
- https://github.com/droptables/ccs-eval
- https://github.com/dtarnawsky/capacitor-plugin-security-provider
- https://github.com/epicpewpew/qualysparser
- https://github.com/fireorb/SSL-Scanner
- https://github.com/fireorb/sslscanner
- https://github.com/geon071/netolofy_12
- https://github.com/giusepperuggiero96/Network-Security-2021
- https://github.com/hahwul/a2sv
- https://github.com/hrbrmstr/internetdb
- https://github.com/iSECPartners/ccs-testing-tool
- https://github.com/ilya-starchikov/devops-netology
- https://github.com/imhunterand/hackerone-publicy-disclosed
- https://github.com/iph0n3/CVE-2014-0224
- https://github.com/korotkov-dmitry/03-sysadmin-09-security
- https://github.com/krabelize/openbsd-httpd-tls-perfect-ssllabs-score
- https://github.com/nidhi7598/OPENSSL_1.0.1g_CVE-2014-0224
- https://github.com/niharika2810/android-development-best-practices
- https://github.com/nikolay480/devops-netology
- https://github.com/nkiselyov/devops-netology
- https://github.com/odolezal/D-Link-DIR-655
- https://github.com/pashicop/3.9_1
- https://github.com/r3p3r/1N3-MassBleed
- https://github.com/secretnonempty/CVE-2014-0224
- https://github.com/ssllabs/openssl-ccs-cve-2014-0224
- https://github.com/stanmay77/security
- https://github.com/takuzoo3868/laputa
- https://github.com/vitaliivakhr/NETOLOGY
- https://github.com/vshaliii/Hacklab-Vulnix
- https://github.com/yellownine/netology-DevOps
- https://github.com/yurkao/python-ssl-deprecated
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2014-0224](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224)`
			`![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			`OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.`

			`### POC`

			`#### Reference`
			`- http://seclists.org/fulldisclosure/2014/Dec/23`
			`- http://www-01.ibm.com/support/docview.wss?uid=isg400001841`
			`- http://www.kb.cert.org/vuls/id/978508`
			`- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html`
			`- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html`
			`- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html`
			`- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html`
			`- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html`
			`- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html`
			`- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html`
			`- http://www.tenable.com/blog/nessus-527-and-pvs-403-are-available-for-download`
			`- http://www.vmware.com/security/advisories/VMSA-2014-0006.html`
			`- http://www.vmware.com/security/advisories/VMSA-2014-0012.html`
			`- https://kc.mcafee.com/corporate/index?page=content&id=SB10075`

			`#### Github`
Update CVE sources 2024-06-07 17:53 2024-06-07 17:53:02 +00:00			`- https://github.com/00xNetrunner/Shodan_Cheet-Sheet`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://github.com/0nopnop/qualysparser`
			`- https://github.com/1N3/MassBleed`
			`- https://github.com/84KaliPleXon3/a2sv`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/Appyhigh/android-best-practices`
			`- https://github.com/Artem-Salnikov/devops-netology`
			`- https://github.com/Artem-Tvr/sysadmin-09-security`
			`- https://github.com/BSolarV/cvedetails-summary`
			`- https://github.com/CertifiedCEH/DB`
			`- https://github.com/DButter/whitehat_public`
			`- https://github.com/F4RM0X/script_a2sv`
			`- https://github.com/H4CK3RT3CH/a2sv`
			`- https://github.com/Justic-D/Dev_net_home_1`
			`- https://github.com/Kapotov/3.9.1`
			`- https://github.com/MrE-Fog/a2sv`
			`- https://github.com/Mre11i0t/a2sv`
			`- https://github.com/NikolayAntipov/DB_13-01`
			`- https://github.com/PotterXma/linux-deployment-standard`
			`- https://github.com/RClueX/Hackerone-Reports`
			`- https://github.com/SSLyze410-SSLGrader-wCipherSuite-info/ssl-grader`
			`- https://github.com/SSLyze410-SSLGrader-wCipherSuite-info/ssl-wrapping-grader`
			`- https://github.com/TheRipperJhon/a2sv`
			`- https://github.com/Tripwire/OpenSSL-CCS-Inject-Test`
			`- https://github.com/Vainoord/devops-netology`
			`- https://github.com/Valdem88/dev-17_ib-yakovlev_vs`
			`- https://github.com/Vladislav-Pugachev/netology-DevOps-dz_-14`
			`- https://github.com/Wanderwille/13.01`
			`- https://github.com/WiktorMysz/devops-netology`
			`- https://github.com/alexandrburyakov/Rep2`
			`- https://github.com/alexgro1982/devops-netology`
			`- https://github.com/anthophilee/A2SV--SSL-VUL-Scan`
			`- https://github.com/arthepsy/cve-tests`
			`- https://github.com/bysart/devops-netology`
			`- https://github.com/capacitor-community/android-security-provider`
			`- https://github.com/chnzzh/OpenSSL-CVE-lib`
			`- https://github.com/clic-kbait/A2SV--SSL-VUL-Scan`
			`- https://github.com/clino-mania/A2SV--SSL-VUL-Scan`
			`- https://github.com/cyberdeception/deepdig`
			`- https://github.com/dmitrii1312/03-sysadmin-09`
			`- https://github.com/droptables/ccs-eval`
			`- https://github.com/dtarnawsky/capacitor-plugin-security-provider`
			`- https://github.com/epicpewpew/qualysparser`
			`- https://github.com/fireorb/SSL-Scanner`
			`- https://github.com/fireorb/sslscanner`
			`- https://github.com/geon071/netolofy_12`
			`- https://github.com/giusepperuggiero96/Network-Security-2021`
			`- https://github.com/hahwul/a2sv`
			`- https://github.com/hrbrmstr/internetdb`
			`- https://github.com/iSECPartners/ccs-testing-tool`
			`- https://github.com/ilya-starchikov/devops-netology`
			`- https://github.com/imhunterand/hackerone-publicy-disclosed`
			`- https://github.com/iph0n3/CVE-2014-0224`
			`- https://github.com/korotkov-dmitry/03-sysadmin-09-security`
			`- https://github.com/krabelize/openbsd-httpd-tls-perfect-ssllabs-score`
			`- https://github.com/nidhi7598/OPENSSL_1.0.1g_CVE-2014-0224`
			`- https://github.com/niharika2810/android-development-best-practices`
			`- https://github.com/nikolay480/devops-netology`
			`- https://github.com/nkiselyov/devops-netology`
			`- https://github.com/odolezal/D-Link-DIR-655`
			`- https://github.com/pashicop/3.9_1`
			`- https://github.com/r3p3r/1N3-MassBleed`
			`- https://github.com/secretnonempty/CVE-2014-0224`
			`- https://github.com/ssllabs/openssl-ccs-cve-2014-0224`
			`- https://github.com/stanmay77/security`
			`- https://github.com/takuzoo3868/laputa`
			`- https://github.com/vitaliivakhr/NETOLOGY`
			`- https://github.com/vshaliii/Hacklab-Vulnix`
			`- https://github.com/yellownine/netology-DevOps`
			`- https://github.com/yurkao/python-ssl-deprecated`