#VU62767 Man-in-the-Middle (MitM) attack in OpenSSL - CVE-2022-1434
Published: May 3, 2022 / Updated: February 22, 2023
Vulnerability identifier: #VU62767
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-1434
CWE-ID: CWE-300
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenSSL
OpenSSL
Software vendor:
OpenSSL Software Foundation
OpenSSL Software Foundation
Description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists in OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite due to incorrect usage of AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker can perform a man-in-the-middle (MitM) attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check.
Remediation
Install updates from vendor's website.