Critical OpenSSL Vulnerability CVE-2016-2107 Affects AES CBC and AES-NI Servers
A critical vulnerability in OpenSSL, identified as CVE-2016-2107, has been brought to light. This flaw, which can be exploited by a Man-in-the-Middle (MITM) attacker using a padding Oracle attack, affects connections that utilise the AES CBC cipher and servers supporting AES-NI. The discovery has led to an update in criteria and a change in grading standards for vulnerable servers.
The vulnerability, discovered by Filippo Valsorda, allows an attacker to decrypt traffic by exploiting a weakness in the padding process. This issue is particularly concerning as it affects a widely-used encryption method, AES CBC, and servers equipped with AES-NI, a set of instructions designed to speed up AES operations.
Previously, servers vulnerable to this attack were graded up to a C. However, in response to the severity of the issue, the grading criteria have been updated. From June 6, 2016, forward, any server found to be vulnerable will receive an F grade, reflecting the critical nature of the flaw. To address this vulnerability, an update to the grading criteria, version 2009m, has been released.
The OpenSSL vulnerability CVE-2016-2107 poses a significant risk to servers using AES CBC cipher and supporting AES-NI. With the grading criteria updated and the grading standards tightened, it is crucial for server administrators to address this issue promptly to maintain the security and integrity of their systems.
