New SSL bug affects Linux, Android and corporate wireless.
A bug dubbed the "Son of Heartbleed" is targeting users of Android, Linux and corporate wireless networks users have been warned.
The so-called Cupid vulnerability allows the same kind of eavesdropping as the Heartbleed bug, affecting users and providers of Wi-Fi networks using the extensible authentication protocol (EAP).
According to Luis Grangeia, security services manager at SysValue: "This is basically the same attack as Heartbleed, based on a malicious heartbeat packet. Like the original attack which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection."
TLS is a commonly used security protocol and successor of SSL, the open-source implementation of which was targeted by the Heartbleed OpenSSL bug.
To implement Cupid hackers can either use wireless software combined with a Cupid patch to target a network, or set up access point software with the Cupid patch to target devices.
The exploit is particularly dangerous because of the lack of authentication or credentials needed for it to work. "It's not necessary to fully establish a TLS connection to perform the Heartbleed attack," Grangeia added. "No actual keys or certificates need to be exchanged."
Android and Linux users are advised to fully upgrade their OS before connecting to wireless network, while corporations are advised to check with their vendors to see if they may be affected.
The news confirms Hugh Thompson of Blue Coat's prediction that Heartbleed is likely to have a "very long tail", despite the assurances of many tech giants that their systems have been patched.
Source: Company Press Release