5 | 5 | In short: if both the client and the server are running a vulnerable version of OpenSSL, an active attacker with a man-in-the-middle position can trick OpenSSL to use keys known to the attacker. This means the attacker can read and even manipulate everything on the TLS connection. In the OpenVPN case, that includes the traffic protection keys for your VPN data, and thus your VPN data. For more information, visit the CCS Injection Vulnerability page at http://ccsinjection.lepidum.co.jp/ or check the CVE at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224. |