|Name||FREAK Vulnerability In OpenSSL|
|First Publish Date||04-Mar-15|
|Description||A vulnerability in the OpenSSL library for SSL/TLS has been reported. It can allow an attacker to execute a man-in-the-middle attack against vulnerable systems that support older key exchange methods. This vulnerability is called FREAK for “Factoring attack on RSA-EXPORT Keys”.|
|Status Report Number||Second Status Report published 06-Mar-15|
|What You Need To Know?||
The FREAK vulnerability carries the designation of CVE-2015-0204 and is rated Medium. It takes advantage of support of old secret key exchange methods that were put in place to meet 1990s export laws. These methods are no longer recommended for use but some SSL/TLS implementations may still support them.
Please note that it can take anywhere from hours to days for an attacker to break the keys used depending on how much computing power they have available. Once broken, the key can be used to mount a man-in-the-middle attack where keys are reused.
|What is Xerox Doing About This?||Xerox is continuing to monitor the situation and is conducting an investigation of its devices and servers. More information will be posted as soon as it is available.|
|Potential Impact||Exploiting this vulnerability requires both a vulnerable client and server along with a server that reuses keys, a dedicated attacker and access to computing resources to break the key. Attacks are most likely to occur in places with public network access such as airports or shops that provide WiFi hotspots. Patching clients and servers is recommended when patches are available.|
|What Should You Do?||If your Xerox device supports FIPS mode, enabling FIPS mode prevents the obsolete key exchange methods from being used. Check the appropriate documentation for your device for more information on FIPS mode.|
This vulnerability also affects Apple mobile and desktop systems, Google’s Android mobile systems and Microsoft Windows. Users of these systems should install the appropriate patches when they are available. Patching either the client or server will be sufficient to prevent this from being exploited.
Please check back here for additional information.