|Name||FREAK Vulnerability In OpenSSL|
|First Publish Date||04-Mar-15|
|Date of Current Status||28-Apr-15|
|Next Planned Update||28-May-15|
|Description||A vulnerability in the OpenSSL library for SSL/TLS has been reported. It can allow an attacker to execute a man-in-the-middle attack against vulnerable systems that support older key exchange methods. This vulnerability is called FREAK for “Factoring attack on RSA-EXPORT Keys”.|
|What You Need To Know?||
The FREAK vulnerability carries the designation of CVE-2015-0204 and is rated Medium. It takes advantage of support of old secret key exchange methods that were put in place to meet 1990s export laws. These methods are no longer recommended for use but some SSL/TLS implementations may still support them.
Please note that it can take anywhere from hours to days for an attacker to break the keys used depending on how much computing power they have available. Once broken, the key can be used to mount a man-in-the-middle attack where server keys are reused.
|What is Xerox Doing About This?||Xerox is continuing to monitor the situation and has completed an investigation of its devices. Patches for some affected devices will be made available as part of our regular SPAR release cycle. Xerox will publish information on affected devices and patch availability as they are available.|
|Impact||Exploiting this vulnerability requires both a vulnerable client and server along with a server that reuses keys, a dedicated attacker and access to computing resources to break the key. Attacks are most likely to occur in places with public network access such as airports or shops that provide WiFi hotspots. Patching clients and servers is recommended when patches are available.|
|What Should You Do?||If your Xerox device supports FIPS mode, enabling FIPS mode prevents the obsolete key exchange methods from being used. Check the appropriate documentation for your device for more information on FIPS mode.|
This vulnerability also affects Apple mobile and desktop systems, Google’s Android mobile systems and Microsoft Windows. Users of these systems should install the appropriate patches. Patching either the client or server will be sufficient to prevent this from being exploited.
Please check back here for additional information.