tenable:77200 · OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

01 · The Real Story

This is a bank vault flaw that only matters if the robber is already standing in the hallway between both doors

Tenable plugin 77200 is the classic OpenSSL CCS Injection bug, CVE-2014-0224. Affected upstream ranges are OpenSSL 0.9.8a through 0.9.8y, 1.0.0a through 1.0.0l, and 1.0.1a through 1.0.1g, with fixes in 0.9.8za, 1.0.0m, and 1.0.1h. The flaw lets an attacker inject an out-of-order ChangeCipherSpec during the TLS handshake so both sides derive weak, predictable keying material.

Vendor MEDIUM is basically right for enterprise prioritization. The technical impact is ugly—session decryption and modification—but the attack chain is narrow: the attacker must be on path, must be able to modify traffic in real time, and exploitation only works when both endpoints are vulnerable, with server-side exploitability known mainly on the 1.0.1 branch. That combination keeps this out of emergency patch territory unless the asset sits on hostile shared networks or fronts legacy OpenSSL-heavy machine-to-machine traffic.

"Serious crypto break on paper, but real-world exploitability is throttled by a hard MITM prerequisite."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get on path

The attacker first needs a live man-in-the-middle position using tooling like bettercap, Ettercap, or a rogue AP stack such as hostapd-wpe. This is not a drive-by internet exploit; the adversary must actually intercept and relay packets between client and server.

Conditions required:

Attacker can observe and modify traffic between victim client and server
Victim traffic crosses a network segment the attacker controls or can poison

Where this breaks in practice:

WPA-Enterprise, NAC, wired segmentation, DHCP snooping, and dynamic ARP inspection kill many practical MITM paths
Internet-edge exposure alone is not enough without a traffic interception position

Detection/coverage: Network controls can catch ARP spoofing, rogue AP behavior, MAC churn, or gateway impersonation. Vulnerability scanners do not prove this prerequisite.

STEP 02

Find a vulnerable pair

The attacker then needs a client and server combination that both rely on vulnerable OpenSSL behavior. Server-side exploitability was known primarily on OpenSSL 1.0.1/1.0.2-beta1, while clients were broadly affected if they used OpenSSL at all.

Conditions required:

Server uses vulnerable OpenSSL, typically 1.0.1a-g for practical server exploitation
Client stack also uses vulnerable OpenSSL rather than Schannel, Secure Transport, or NSS

Where this breaks in practice:

Most mainstream browsers were not the sweet spot because many did not use OpenSSL
One patched endpoint breaks the chain completely
Old scanner logic can overcall this; nmap's ssl-ccs-injection had historical false-positive discussions

Detection/coverage: Server scanners can detect likely exposure, but client-side dependency visibility is usually weak unless you have EDR, SBOM, or package inventory.

STEP 03

Inject early CCS

Using custom exploit logic derived from Masashi Kikuchi's and Adam Langley's analysis, the attacker injects ChangeCipherSpec messages before key agreement fully completes. OpenSSL accepts the message out of order and both sides end up deriving a weak session state.

Conditions required:

Attacker can rewrite handshake traffic in both directions in real time
TLS session is negotiated fresh rather than already established

Where this breaks in practice:

Timing matters; this is handshake manipulation, not a simple one-packet crash
TLS-terminating proxies or non-OpenSSL endpoints often remove the vulnerable condition

Detection/coverage: Deep protocol anomaly detection may spot malformed or out-of-order handshake behavior, but many environments will only see generic TLS failures or retries.

STEP 04

Read or alter the session

Once the weak session keys are forced, the attacker can decrypt or modify traffic for that connection. The blast radius is the compromised session path, not instant host takeover or wormable code execution.

Conditions required:

The victim continues using the manipulated TLS session
Useful data or transactions traverse that session

Where this breaks in practice:

Impact is session-centric rather than system-compromising
Short-lived or low-value connections reduce attacker payoff

Detection/coverage: Application-layer anomalies, failed integrity checks, or unexpected transaction behavior may surface, but many successful cases will look like normal TLS traffic from the endpoints' perspective.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No solid current exploitation signal in the sources reviewed. I found no direct evidence of modern campaigns, and this CVE does not appear in CISA KEV search results from the public catalog pages reviewed.
Proof-of-concept availability	Publicly analyzed and testable. Masashi Kikuchi documented discovery, Adam Langley published technical analysis, and public scanner/test logic exists via `nmap ssl-ccs-injection` plus older GitHub test repos.
EPSS	High but noisy. Public mirrors of FIRST EPSS place it roughly in the `~0.93-0.97` range with high percentile, which likely reflects age, ubiquity, and public discussion more than today's practical enterprise exploitability.
KEV status	Not listed in KEV in the CISA catalog pages surfaced during review; therefore no federal KEV due date is in play from the sources checked.
CVSS vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N` (`7.4 HIGH`). The important modifier is `AC:H`: the attacker needs precise on-path handshake manipulation, not mere socket reachability.
Affected versions	Upstream affected: `0.9.8a-y`, `1.0.0a-l`, `1.0.1a-g`. OpenSSL noted the attack only works when both client and server are vulnerable, and servers were known vulnerable mainly in `1.0.1` and `1.0.2-beta1`.
Fixed versions	Upstream fixed: `0.9.8za`, `1.0.0m`, `1.0.1h`. Ubuntu backports include examples like `1.0.1f-1ubuntu2.2` for 14.04 LTS and `1.0.1-4ubuntu5.14` for 12.04 LTS, so package release beats upstream string matching.
Scanning and exposure data	Historical, not current: Qualys SSL Pulse reported `49%` vulnerable and `14%` exploitable in June 2014. I did not find credible current GreyNoise/Shodan/Censys telemetry in primary sources, which fits the expectation that this is now mostly a long-tail legacy problem.
Disclosure and researcher	Disclosed: `2014-06-05`. Discovery is attributed to Masashi Kikuchi / Lepidum; OpenSSL and Red Hat both referenced Adam Langley's analysis for attack mechanics.
Detection caveat	Scanner output needs context. Tenable tests for `CVE-2014-0224` directly and infers several sibling June 2014 OpenSSL bugs, while `nmap` has documented historical false-positive tuning issues for `ssl-ccs-injection`.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (4.9/10)

The single biggest reason this stays MEDIUM is the attacker position requirement: this is only exploitable by an adversary who can already intercept and modify the victim's TLS traffic. That MITM prerequisite, plus the need for both endpoints to be vulnerable, sharply narrows the exposed population compared with a normal edge-reachable network flaw.

HIGH CVE identification as `CVE-2014-0224` for Tenable plugin `77200`

HIGH Affected upstream version ranges and fixed versions

MEDIUM Current real-world exploitation prevalence due limited fresh telemetry

Why this verdict

MITM prerequisite is the whole game: this is not unauthenticated remote code execution and not a direct internet exploit; the attacker must already be in position to intercept and alter traffic.
Both ends must be vulnerable: OpenSSL explicitly states the attack only works when client and server are both exposed, which compounds friction immediately.
Server-side reach is narrower than the banner suggests: practical server exposure was known mainly on the 1.0.1 line, so a vulnerable library string is not the same thing as an easily exploitable service.
Blast radius is session compromise, not host compromise: impact is serious for confidentiality and integrity, but it is limited to the manipulated TLS connection rather than delivering code execution or broad lateral movement by itself.
No KEV or modern campaign evidence in reviewed sources: absent fresh exploitation evidence, there is no reason to override the friction and push this into a higher operational bucket.

Why not higher?

A HIGH or CRITICAL call would require either broad edge exploitability or active exploitation evidence that overcomes the path friction. This bug has neither in the sources reviewed. The required on-path position plus the vulnerable-both-sides condition takes it out of emergency-response territory for most enterprise fleets.

Why not lower?

This is still a real confidentiality and integrity break, not mere hygiene. If you have legacy OpenSSL on both ends of sensitive machine-to-machine traffic, a hostile network segment can turn this into readable and modifiable sessions with no credentials. That is enough to keep it above LOW.

05 · Compensating Control

What to do — in priority order.

Prefer managed TLS termination — Move exposed services behind current reverse proxies, load balancers, or VPN concentrators that terminate TLS with supported crypto stacks. For a MEDIUM finding there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but using modern termination removes the vulnerable OpenSSL handshake logic from the exposed path immediately.
Harden hostile network segments — Reduce practical MITM paths on guest Wi-Fi, branch LANs, shared data-center segments, and east-west enclaves with NAC, WPA-Enterprise, DHCP snooping, DAI, and switch protections. This matters because the exploit dies if attackers cannot get on path; for MEDIUM, implement as part of normal hardening while staying inside the 365-day remediation window.
Retire legacy OpenSSL consumers — Inventory appliances, VPNs, agents, and bundled application runtimes still shipping 0.9.8, 1.0.0, or 1.0.1 era OpenSSL. Prioritize the systems handling authentication, API keys, or admin traffic, and complete replacement or patching within the MEDIUM remediation window.
Validate client-side dependency exposure — Do not stop at the server banner. This attack needs a vulnerable client too, so use EDR, package inventory, container manifests, and SBOMs to find OpenSSL-linked clients and internal tools that actually create exploitable pairs.

What doesn't work

A WAF does not meaningfully help for non-HTTP TLS handshakes and cannot fix broken key derivation inside the TLS stack.
MFA protects accounts, not the confidentiality or integrity of a compromised TLS session on the wire.
Restarting the service without updating changes nothing except clearing the process image; the vulnerable handshake behavior remains.
Server-only internet reachability scoring overstates urgency because it ignores the client-side and MITM prerequisites.

06 · Verification

Crowdsourced verification payload.

Run this on the target host or appliance shell, not from an auditor workstation. Invoke it as bash check_cve_2014_0224.sh /path/to/openssl or simply bash check_cve_2014_0224.sh to use the default openssl in PATH; no root is required unless the bundled binary is in a restricted path. The script prints VULNERABLE, PATCHED, or UNKNOWN and exits 0, 1, or 2 respectively.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2014_0224.sh
# Best-effort local check for OpenSSL CCS Injection (CVE-2014-0224)
# Exit codes: 0=VULNERABLE 1=PATCHED 2=UNKNOWN

set -u

OPENSSL_BIN="${1:-openssl}"

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

if ! command -v "$OPENSSL_BIN" >/dev/null 2>&1 && [ ! -x "$OPENSSL_BIN" ]; then
  fail_unknown "openssl binary not found: $OPENSSL_BIN"
fi

VERSTR="$($OPENSSL_BIN version 2>/dev/null)" || fail_unknown "unable to execute $OPENSSL_BIN"
FULLVER="$($OPENSSL_BIN version -a 2>/dev/null || true)"
UPSTREAM_VER="$(printf '%s\n' "$VERSTR" | awk '{print $2}')"

# Normalize versions like 1.0.1f, 1.0.0m, 0.9.8za, 1.0.2-beta1
if [ -z "$UPSTREAM_VER" ]; then
  fail_unknown "could not parse OpenSSL version string: $VERSTR"
fi

# Distro backport detection: package-managed builds may report an old upstream base version
# while carrying the fix. Handle known Ubuntu fixed package versions from the advisory; otherwise UNKNOWN.
if command -v dpkg-query >/dev/null 2>&1; then
  PKG_LINES="$(dpkg-query -W -f='${Package} ${Version}\n' openssl libssl1.0.0 libssl1.0.0:i386 libssl1.0.0:amd64 libssl1.0.2 libssl1.1 libssl3 2>/dev/null || true)"
  if printf '%s\n' "$PKG_LINES" | grep -Eq 'openssl 1\.0\.1f-1ubuntu2\.2|openssl 1\.0\.1e-3ubuntu1\.4|openssl 1\.0\.1-4ubuntu5\.14|openssl 0\.9\.8k-7ubuntu8\.18|openssl 0\.9\.8o-7ubuntu3\.2(\.14\.04\.1)?'; then
    echo "PATCHED: Ubuntu backport package version detected for CVE-2014-0224"
    exit 1
  fi
fi

# Helper to split version into branch + suffix, e.g. 1.0.1g -> branch=1.0.1 suffix=g
split_branch_suffix() {
  local v="$1"
  if [[ "$v" =~ ^([0-9]+\.[0-9]+\.[0-9]+)([a-z]+)?$ ]]; then
    echo "${BASH_REMATCH[1]} ${BASH_REMATCH[2]:-}"
    return 0
  fi
  return 1
}

compare_letter_suffix() {
  # Returns 0 if suffix1 < suffix2 lexically by OpenSSL patch-letter order for simple cases
  # Only used for branches in this CVE where suffixes are single or double lowercase letters.
  local s1="$1"
  local s2="$2"
  [[ "$s1" < "$s2" ]]
}

if [[ "$UPSTREAM_VER" == "1.0.2-beta1" ]]; then
  echo "VULNERABLE: OpenSSL 1.0.2-beta1 is called out as server-vulnerable in the OpenSSL advisory"
  exit 0
fi

read -r BRANCH SUFFIX < <(split_branch_suffix "$UPSTREAM_VER") || fail_unknown "unhandled OpenSSL version format: $UPSTREAM_VER"

case "$BRANCH" in
  0.9.8)
    if [ -z "$SUFFIX" ]; then
      echo "VULNERABLE: OpenSSL $UPSTREAM_VER is older than fixed 0.9.8za"
      exit 0
    fi
    if compare_letter_suffix "$SUFFIX" "za"; then
      echo "VULNERABLE: OpenSSL $UPSTREAM_VER is older than fixed 0.9.8za"
      exit 0
    else
      echo "PATCHED: OpenSSL $UPSTREAM_VER is at or newer than 0.9.8za"
      exit 1
    fi
    ;;
  1.0.0)
    if [ -z "$SUFFIX" ]; then
      echo "VULNERABLE: OpenSSL $UPSTREAM_VER is older than fixed 1.0.0m"
      exit 0
    fi
    if compare_letter_suffix "$SUFFIX" "m"; then
      echo "VULNERABLE: OpenSSL $UPSTREAM_VER is older than fixed 1.0.0m"
      exit 0
    else
      echo "PATCHED: OpenSSL $UPSTREAM_VER is at or newer than 1.0.0m"
      exit 1
    fi
    ;;
  1.0.1)
    if [ -z "$SUFFIX" ]; then
      echo "VULNERABLE: OpenSSL $UPSTREAM_VER is older than fixed 1.0.1h"
      exit 0
    fi
    if compare_letter_suffix "$SUFFIX" "h"; then
      echo "VULNERABLE: OpenSSL $UPSTREAM_VER is older than fixed 1.0.1h"
      exit 0
    else
      echo "PATCHED: OpenSSL $UPSTREAM_VER is at or newer than 1.0.1h"
      exit 1
    fi
    ;;
  *)
    # Newer branches are not affected by this specific CVE, but distro repacks of legacy code can be tricky.
    if printf '%s\n' "$UPSTREAM_VER" | grep -Eq '^([1-9]|0\.[1-9]|1\.[1-9]|[2-9]\.)'; then
      echo "PATCHED: OpenSSL $UPSTREAM_VER is outside the affected upstream branches for CVE-2014-0224"
      exit 1
    fi
    fail_unknown "unable to determine status for version $UPSTREAM_VER"
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat this as a legacy-crypto cleanup item, not an incident drill. There is no noisgate mitigation SLA — go straight to the 365-day remediation window for this MEDIUM finding unless the asset lives on hostile shared networks or carries high-value admin/API traffic, in which case front it with managed TLS termination during the next normal change window. Per the noisgate remediation SLA, finish patching or replacing the vulnerable OpenSSL consumers within 365 days, and use that time to verify whether you actually have exploitable client-server pairs instead of burning cycles on every isolated server banner.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.