September 28, 2016

OpenSSL Fix Flaw in Recent Bug Fix

(LiveHacking.Com) – Earlier this month, the OpenSSL project released updates to two new versions (OpenSSL 1.0.0f and 0.9.8s) of the popular open source toolkit for SSL/TLS to fix a total of six security flaws. One of the vulnerabilities fixed (CVE-2011-4108) was in OpenSSL’s DTLS implementation which allowed an efficient plaintext recovery attack. However Antonio Martin from Cisco Systems, Inc found a flaw in the in the fix that can be exploited in a denial of service attack. Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected.

To remedy this the OpenSSL project have now released OpenSSL 1.0.0g and OpenSSL 0.9.8t.

Six Security Flaws Fixed in OpenSSL

(LiveHacking.Com) – The OpenSSL project team has released two new versions of the popular open source toolkit for SSL/TLS. OpenSSL 1.0.0f and 0.9.8s fix a total of six security flaws. Of the six fixes, four apply to 1.0.0f and 0.9.8s together and then each version has one unique fix for its code stream.

The relevant security advisory lists the following:

  1. DTLS Plaintext Recovery Attack (CVE-2011-4108) – Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can befound at http://www.isg.rhul.ac.uk/~kp/dtls.pdf
  2. Double-free in Policy Checks (CVE-2011-4109) – If X509_V_FLAG_POLICY_CHECK is set in OpenSSL 0.9.8, then a policy check failure can lead to a double-free. The bug does not occur unless this flag is set. Users of OpenSSL 1.0.0 are not affected.
  3. Uninitialized SSL 3.0 Padding (CVE-2011-4576) – OpenSSL prior to 1.0.0f and 0.9.8s failed to clear the bytes used as block cipher padding in SSL 3.0 records. This affects both clients and servers that accept SSL 3.0 handshakes: those that call SSL_CTX_new with SSLv3_{server|client}_method or SSLv23_{server|client}_method. It does not affect TLS. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. However, in practice, most deployments do not use SSL_MODE_RELEASE_BUFFERS and therefore have a single write buffer per connection. That write buffer is partially filled with non-sensitive, handshake data at the beginning of the connection and, thereafter, only records which are longer any any previously sent record leak any non-encrypted data. This, combined with the small number of bytes leaked per record, serves to limit to severity of this issue.
  4. Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) – RFC 3779 data can be included in certificates, and if it is malformed, may trigger an assertion failure. This could be used in a denial-of-service attack. Note, however, that in the standard release of OpenSSL, RFC 3779 support is disabled by default, and in this case OpenSSL is not vulnerable. Builds of OpenSSL are vulnerable if configured with “enable-rfc3779”.
  5. SGC Restart DoS Attack (CVE-2011-4619) – Support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack.
  6. Invalid GOST parameters DoS Attack (CVE-2012-0027) – A malicious TLS client can send an invalid set of GOST parameters which will cause the server to crash due to lack of error checking. This could be used in a denial-of-service attack. Only users of the OpenSSL GOST ENGINE are affected by this bug.

OpenSSL 1.0.0f  is considered the current best version of OpenSSL available and it is recommended that users of older versions upgrade as soon as possible. OpenSSL 1.0.0f is available for download via HTTP and FTP from the following master locations:

For a complete list of changes, please seehttp://cvs.openssl.org/getfile?f=openssl/CHANGES&v=OpenSSL_1_0_0f.

 

Microsoft Issues Security Advisory to Combat the BEAST

(LiveHacking.Com) – As reported yesterday, the mechanism behind earlier versions of  SSL/TLS are susceptible to attack due the way they use block ciphers. Now Microsoft has made a blog post and issued a security advisory about the problem.

This is an industry-wide issue with limited impact that affects the Internet ecosystem as a whole rather than any specific platform. Our Advisory addresses the issue via the Windows operating system.

According to Microsoft’s analysis  users are at minimal risk. To successfully exploit this issue, the would-be attacker must meet several conditions:

  • The targeted user must be in an active HTTPS session;
  • The malicious code the attacker needs to decrypt the HTTPS traffic must be injected and run in the user’s browser session; and,
  • The attacker’s malicious code must be treated as from the same origin as the HTTPS server in order to it to be allowed to piggyback the existing HTTPS connection.
  • The attack must make several hundred HTTPS requests before the attack could be successful.
  • TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
For those who run servers on Windows, Microsoft suggest use of the RC4 algorithm. Since the attack only affects cipher suites that use symmetric encryption algorithms in CBC mode, such as AES, the RC4 algorithm is not vulnerable. System administrators can prioritize the RC4 algorithm on their servers using the instructions given here:  Prioritizing Schannel Cipher Suites.

Is SSL/TLS Under Attack from the BEAST?

 

(LiveHacking.Com) – Juliano Rizzo and Thai Duong have released details of a vulnerability in  TLS (Transport Layer Security) 1.0, the encryption mechanism used in HTTPS (Secure Hypertext Transfer Protocol). TLS is the successor to SSL (Secure Sockets Layer) and is widely used on the Internet. The vulnerability resides in versions 1.0 and earlier of TLS, but not in versions 1.1 and 1.2, however they remain almost entirely unsupported in browsers and websites.

At the Ekoparty security conference in Buenos Aires, Juliano and Thai released a tool, known as BEAST (Browser Exploit Against SSL/TLS), that compromises TLS by exploiting the vulnerability  that has actually been known about for years but which has been regarded as just theoretical until now.

The problem is all to do with block ciphers and Cipher Block Chaining (CBC). With CBC, each ciphertext message starts with a single extra random block, or IV (“initialization vector”). TLS <= 1.0 uses CBC but has a problem in that instead of using a new random IV for every TLS message sent, it uses the ciphertext of the last block of the last message as the IV for the next message. This means that the IV is now something an attacker can predict. A more detailed look at how the attack works can be found here.

The two-factor authentication service PhoneFactor has suggested websites use the RC4 cipher to encrypt SSL traffic instead of algorithms such as AES and DES, as RC4 is not vulnerabile to this CBC/IV problem.

According to Sophos, the pair reported their findings to the major browser vendors a month ago. However so far Google is the only company to respond with a fix (which can currently be found in the beta test versions of the browser).

Microsoft Fixed Serious Spoofing Vulnerability in the Secure Sockets Layer (SSL)

Microsoft has updated its operating systems to fix a potentially serious spoofing vulnerability in the secure sockets layer (SSL) protocol. TLS and SSL encrypt the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer.

Microsoft Released Security Patch for SSL

Microsoft on Tuesday August 10, 2010, released MS10-049 to fix the bug in Windows Server 2008, Windows 7 and 12 other versions of Windows that are still under support. The patch updates a part of the operating system known Secure Channel (SChannel), which is responsible for implementing SSL/TLS (transport layer security).

According to TheRegister, Microsoft’s update follows the revision in January of RFC 5246, the request-for-comments document that previously mapped out the technical specifications for the protocol. The new controlling blueprint for SSL/TLS communications is RFC 5746. Since then, other packages, including OpenSSL, RedHat Linux and Oracle’s Java, have also been patched.

Microsoft rated the severity of the vulnerability as “important,” the second-highest classification on its four-tier scale. The bulletin correctly said the SSL vulnerability could be exploited only in concert with another attack – such as ARP spoofing or DNS cache poisoning – that allowed someone to perform a man-in-the-middle attack.

Read more about this news here.

Source: [TheRegister]