OpenSSL Vulnerability Addressed in Android 4.4.4 Update

Update targets Nexus devices, factory images available

By on June 20th, 2014 07:59 GMT

The latest security flaw in OpenSSL has been addressed on Android with the fresh release of the 4.4.4 KitKat (KTU84P) update, which will roll out to Nexus devices.

There isn’t too much information about the new build, but Engineering Program Manager at Android Sascha Prüter says that it focuses mostly on addressing the OpenSSL ChangeCipherSpec (CCS) Injection vulnerability in the crypto library, identified as CVE-2014-0224.

Other security-related flaws have also been addressed, although not as severe as this one, as the changelog for KTU84P shows. The log lists CTS (Compatibility Test Suite) for the CCS flaw and a fix of a concurrency bug in OpenSSLHeartbleedTest; no reference to Towelroot.

CVE-2014-0224 was revealed at the beginning of the month and would allow an attacker to force the negotiation of weak encryption keys between a client and a server by using a man-in-the-middle attack. Both systems have to be vulnerable for the exploitation to be successful.

A test scan run by Qualys last week showed that almost half of the verified servers were vulnerable to this weakness and 14% of them were declared as exploitable.

The current patch can be applied over Android 4.4.3 KitKat on Nexus 4, Nexus 5, Nexus 7 (2013), and Nexus 10 devices. Factory images are already available for those who do not want to wait for the OTA update.

Comments