By Jake Edge
November 18, 2009
Transport Layer Security (TLS), and
its predecessor Secure Sockets Layer (SSL), are commonly used protocols for
encrypting internet traffic, so TLS vulnerabilities can potentially affect
a wide range of internet services. A recently disclosed flaw in the TLS
protocol—though there is some dispute whether TLS is at
fault—allows an "injected plaintext" attack against an encrypted
session. This allows a "man in the middle" (MITM) attacker to prefix a victim's
request with their own data, which gets interpreted by the server as if it
came from the victim.
The flaw was disclosed
on the Internet Engineering Task Force (IETF) TLS mailing list by Martin
Rex of SAP on November 4, but it had actually been discovered two months earlier. Marsh
Ray of PhoneFactor, Inc. discovered the problem in early August, but kept it
quiet while alerting the IETF and various TLS developers and vendors.
Those organizations came together as "Project Mogul" to find a solution to
the problem. But once
Rex had posted publicly about a possible MITM attack—independently
discovered—against TLS
(specifically Microsoft's IIS), Ray and his colleague Steve Dispensa released additional information
showing that it was a pervasive problem for TLS (including Apache web
servers, OpenSSL, GNUTLS, and others).
TLS allows clients and servers to renegotiate various session parameters
within the TLS connection. When the renegotiation is done, however, TLS
applications still accept data that came in before the renegotiation as if
it were in the new security context. That hole allows a MITM attack. By
arranging that the last data received is from the attacker, then causing a
renegotiation with the victim, the attack effectively prepends the attacker's
payload to the victim's request.
While it may sound rather theoretical, there is already a proof of concept
(PoC) program available, and that has been adapted into a way to steal
Twitter credentials. Other kinds of attacks are possible as well, some
of which may exploit other internet protocols that use TLS, for example:
SMTP (email),
FTP, XMPP (Jabber), and some VPN implementations. Exploiting the
vulnerability requires the attacker to control some node in between the
client and server, which is not that difficult to do these days because of
pervasive WiFi. Users are accustomed to using any available access point—especially if they use encrypted connections for their
web/email/etc. connections—and that access point could be compromised.
Injecting the attacker's text into an existing TLS session may not seem
like a particularly potent attack, but there are several examples of how it
could work. Rex's original disclosure was related to web servers
configured to require client certificates for some resources, and not for
others, which will often lead to renegotiation. That led some to believe
that this relatively rare configuration was required, but subsequent
examples and explanations make it clear that there are other ways to cause,
and exploit, renegotiation.
To attack a web-based application, the attacker typically would send their
prefix to the server, then cause the renegotiation to occur. That
renegotiation would
actually be done between the victim's client and the server (with the MITM
attacker just proxying the traffic). Due to the bug, the server would
process the prefix in the new security context that gets established via
the renegotiation. So, neither the client nor the server have any idea
that this has occurred, and the attacker gets to insert his payload into
the the client's secure session.
Eric Rescorla is one of those working on a long-term fix, but he also has
a fairly straightforward example
of the plaintext injection:
E.g., the attacker would send:
GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1
X-Ignore-This:
And leave the last line empty without a carriage return line feed. Then
when the client makes his own request
GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1
Cookie: victimscookie
the two requests get glued together into:
GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1
X-Ignore-This: GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1
Cookie: victimscookie
And the server uses the victim's account to send a pizza to the attacker.
The Twitter attack uses a similar scheme, but exploits the REST-based API
for Twitter. In that case, the attacker's Twitter feed shows the victim's
server request, which includes the base64-encoded username and password of
the victim. In Thierry Zoller's "TLS/SSLv3 renegotiation vulnerability
explained" [PDF]—a comprehensive guide to the
problem—there is an example of hijacking email traffic using a
similar technique: the attacker prepends SMTP commands to send an email to
himself, then leaves the DATA command unterminated, effectively
capturing the victim's outgoing email message.
Shortly after the initial disclosure, OpenSSL released a workaround that disabled
renegotiation. According to Rescorla, almost all servers could disable
renegotiation without impacting any needed functionality, but that doesn't
fix the problem on the client side. Clients cannot detect whether the
server allows renegotiation because the attacker could always fake a
rejection of the renegotiation request.
A more long-term fix has been proposed—that
site, ironically, has an invalid SSL certificate—by Rescorla, Ray,
Dispensa,
and Nasko Oskov of Microsoft. Their proposal would extend TLS to add
information to each renegotiation about the previous renegotiation. In
that way, clients could detect that their connection is not being
negotiated for the first time, which would mean that a MITM had done a TLS
negotiation already.
While TLS is the right place to make the fix, Adam Langley is unhappy
that TLS is being blamed for the problem. His contention is that the
applications are making unwarranted assumptions about what TLS provides.
While that may be true, "every single protocol that is layered on top
of TLS got this wrong", as Ben Laurie points out.
Zoller's paper also has a good summary of other protocols and programs that
use TLS, along with their vulnerability status. It may be a hard
vulnerability to exploit, because it requires a MITM position along with an
ability to predict the client's traffic, but it is rather serious. As
Rescorla and others note, though, MITM attacks simply using an attacker's
certificate are generally fairly successful because users are willing to
accept any certificate presented to them. It really isn't necessary to go
to the
lengths that are required to exploit this vulnerability until that changes.
[ Thanks to Tzvetan Mikov who suggested this as a topic shortly after it
was made public. ]
Comments (23 posted)
New vulnerabilities
apache-conf: cross-site scripting
| Package(s): | apache-conf |
CVE #(s): | CVE-2009-2823
|
| Created: | November 16, 2009 |
Updated: | January 7, 2010 |
| Description: |
From the Mandriva advisory:
The Apache HTTP Server enables the HTTP TRACE method per default
which allows remote attackers to conduct cross-site scripting (XSS)
attacks via unspecified web client software (CVE-2009-2823).
|
| Alerts: |
|
Comments (none posted)
asterisk: access control violation
| Package(s): | asterisk |
CVE #(s): | |
| Created: | November 16, 2009 |
Updated: | November 18, 2009 |
| Description: |
From the Asterisk advisory:
A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2009-3553
|
| Created: | November 18, 2009 |
Updated: | March 2, 2011 |
| Description: |
From the Red Hat advisory:
A use-after-free flaw was found in the way CUPS handled references in its
file descriptors-handling interface. A remote attacker could, in a
specially-crafted way, query for the list of current print jobs for a
specific printer, leading to a denial of service (cupsd crash).
(CVE-2009-3553)
|
| Alerts: |
|
Comments (none posted)
ffmpeg: denial of service
| Package(s): | ffmpeg |
CVE #(s): | CVE-2008-3230
|
| Created: | November 16, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Mandriva advisory:
The ffmpeg lavf demuxer allows user-assisted attackers to cause
a denial of service (application crash) via a crafted GIF file
(CVE-2008-3230)
|
| Alerts: |
|
Comments (none posted)
gimp: integer overflow
| Package(s): | gimp |
CVE #(s): | CVE-2009-1570
|
| Created: | November 13, 2009 |
Updated: | September 28, 2012 |
| Description: |
From the Mandriva advisory:
Integer overflow in the ReadImage function in
plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers
to execute arbitrary code via a BMP file with crafted width and height
values that trigger a heap-based buffer overflow. |
| Alerts: |
|
Comments (none posted)
java: remote file creation and modification
| Package(s): | java |
CVE #(s): | CVE-2009-2676
|
| Created: | November 12, 2009 |
Updated: | November 18, 2009 |
| Description: |
From the National Vulnerability Database entry:
Unspecified vulnerability in JNLPAppletlauncher in Sun Java SE, and SE for Business, in JDK and JRE 6 Update 14 and earlier and JDK and JRE 5.0 Update 19 and earlier; and Java SE for Business in SDK and JRE 1.4.2_21 and earlier; allows remote attackers to create or modify arbitrary files via vectors involving an untrusted Java applet that accesses an old version of JNLPAppletLauncher. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2009-2716
CVE-2009-2718
CVE-2009-2719
CVE-2009-2720
CVE-2009-2721
CVE-2009-2722
CVE-2009-2723
CVE-2009-2724
|
| Created: | November 18, 2009 |
Updated: | November 18, 2009 |
| Description: |
From the CVE entries:
CVE-2009-2716:
The plugin functionality in Sun Java SE 6 before Update 15 does not properly implement version selection, which allows context-dependent attackers to leverage vulnerabilities in "old zip and certificate handling" and have unspecified other impact via unknown vectors.
CVE-2009-2718: The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 before Update 15 on X11 does not impose the intended constraint on distance from the window border to the Security Warning Icon, which makes it easier for context-dependent attackers to trick a user into interacting unsafely with an untrusted applet.
CVE-2009-2719: The Java Web Start implementation in Sun Java SE 6 before Update 15 allows context-dependent attackers to cause a denial of service (NullPointerException) via a crafted .jnlp file, as demonstrated by the jnlp_file/appletDesc/index.html#misc test in the Technology Compatibility Kit (TCK) for the Java Network Launching Protocol (JNLP).
CVE-2009-2720: Unspecified vulnerability in the javax.swing.plaf.synth.SynthContext.isSubregion method in the Swing implementation in Sun Java SE 6 before Update 15 allows context-dependent attackers to cause a denial of service (NullPointerException in the Jemmy library) via unknown vectors.
CVE-2009-2721: Multiple unspecified vulnerabilities in the Provider class in Sun Java SE 5.0 before Update 20 have unknown impact and attack vectors, aka BugId 6406003.
CVE-2009-2722: Multiple unspecified vulnerabilities in the Provider class in Sun Java SE 5.0 before Update 20 have unknown impact and attack vectors, aka BugId 6429594. NOTE: this issue exists because of an incorrect fix for BugId 6406003.
CVE-2009-2723: Unspecified vulnerability in deserialization in the Provider class in Sun Java SE 5.0 before Update 20 has unknown impact and attack vectors, aka BugId 6444262.
CVE-2009-2724: Race condition in the java.lang package in Sun Java SE 5.0 before Update 20 has unknown impact and attack vectors, related to a "3Y Race condition in reflection checks."
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2009-3726
|
| Created: | November 16, 2009 |
Updated: | March 21, 2011 |
| Description: |
From the SUSE advisory:
CVE-2009-3726: The nfs4_proc_lock function in fs/nfs/nfs4proc.c in
the NFSv4 client in the allows remote NFS servers to cause a denial
of service (NULL pointer dereference and panic) by sending a certain
response containing incorrect file attributes, which trigger attempted
use of an open file that lacks NFSv4 state.
|
| Alerts: |
|
Comments (none posted)
openjdk: arbitrary code execution
| Package(s): | openjdk-6 |
CVE #(s): | CVE-2009-3885
|
| Created: | November 16, 2009 |
Updated: | April 28, 2010 |
| Description: |
From the Ubuntu advisory:
Multiple flaws were discovered in JPEG and BMP image handling. If a user
were tricked into loading a specially crafted image, a remote attacker
could crash the application or run arbitrary code with user privileges.
(CVE-2009-3873, CVE-2009-3874, CVE-2009-3885)
|
| Alerts: |
|
Comments (none posted)
openldap: man in the middle attack
| Package(s): | openldap |
CVE #(s): | CVE-2009-3767
|
| Created: | November 12, 2009 |
Updated: | July 22, 2010 |
| Description: |
From the Ubuntu alert:
It was discovered that OpenLDAP did not correctly handle SSL certificates
with zero bytes in the Common Name. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications. |
| Alerts: |
|
Comments (none posted)
qt: multiple vulnerabilities
| Package(s): | qt |
CVE #(s): | CVE-2009-3384
CVE-2009-2816
|
| Created: | November 16, 2009 |
Updated: | January 25, 2011 |
| Description: |
From the Red Hat bugzilla [1, 2]:
CVE-2009-3384: Multiple security flaws (integer underflow, invalid pointer dereference,
buffer underflow and a denial of service) were found in the way WebKit's
FTP parser used to process remote FTP directory listings. If a remote
FTP server issued a specially-crafted FTP command, it could lead to
disclosure of sensitive information, denial of service (application crash) or,
potentially to execution of arbitrary code, once the command was parsed.
CVE-2009-2816: A security flaw was found in the WebKit's Cross-Origin Resource Sharing (CORS)
implementation. Quoting exact details from the WebKit advisory:
Before allowing a page from one origin to access a resource in another origin,
WebKit sends a preflight request, to determine if the origin server for the
resource being accessed will allow the resource to be shared. WebKit includes
custom HTTP headers specified by the requesting page in the preflight request.
This can result in unexpected actions being initiated on the cross-origin site
without user consent. This issue is addressed by dropping custom HTTP
headers from preflight requests.
|
| Alerts: |
|
Comments (none posted)
texlive: buffer overflow
| Package(s): | texlive |
CVE #(s): | CVE-2009-1284
|
| Created: | November 13, 2009 |
Updated: | June 26, 2012 |
| Description: |
From the CVE entry:
Buffer overflow in BibTeX 0.99 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a long .bib bibliography file. |
| Alerts: |
|
Comments (none posted)
wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | |
| Created: | November 18, 2009 |
Updated: | November 18, 2009 |
| Description: |
From the Wordpress release notes:
2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.
The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
