|
|
Subscribe / Log in / New account

Security

The FREAK crypto downgrade attack

By Jake Edge
March 4, 2015

For the most part, cryptography is not what is letting us down security-wise. Most of the algorithms are solid and, if used correctly, essentially uncrackable in any sensible time frame. There are exceptions, of course, but by and large cryptography has served us well. Unfortunately, we commonly have programs that provide ways to downgrade the cryptographic algorithms or hamper them in other ways (e.g. shorter keys) so that they no longer serve to protect our data as they should.

When an attacker can cause systems to use a weaker encryption algorithm, perhaps one that has serious flaws, it is called a "downgrade attack". The latest entrant into the pantheon of downgrade attacks is one that has been dubbed FREAK (which stands for "Factoring attack on RSA-EXPORT keys"). It uses the ability of a man-in-the-middle attacker to downgrade the encryption used by many web sites when accessed by users with the Safari and Android browsers. As the name indicates, attackers could cause the affected systems to use the purposely weakened export version of the RSA cipher that limited key length to 512 bits.

In a delicious irony, the web site of the US National Security Administration (NSA)—which mandated the use of export-grade RSA keys during the crypto wars of the 1990s—was affected by FREAK. Many other sites were too, of course. But those sites are only vulnerable when they are accessed from a vulnerable client.

Even though the export version of the RSA suite is considered to be a "zombie" by many, it is evidently still present in multiple web servers. As Matthew Green noted in his analysis, it shouldn't matter if the web servers still have the export version of RSA available if the clients do not request the 512-bit export-grade keys. Also, clients need to reject those keys if they haven't requested them. It is the latter piece that fails here.

It turns out that a man in the middle can alter the client's initial message to the server (which is sent in the clear) to change its request for the standard RSA cipher to a request for the export version. If the server supports export RSA, it will happily send back a weak RSA key that is vouched for by the server's certificate. Apparently, roughly 35% of the internet, much of that being systems run by content delivery networks (CDNS), does or did support export-grade RSA. The client, though, knows (or should know) that it requested the standard RSA cipher so it should reject the weakened export key. But the vulnerable clients do not do that.

Even after the twin assumptions that few servers still supported export RSA and that few clients would request and accept those keys were invalidated, there was still one more line of defense: factoring 512-bit RSA keys is not trivial, so traffic could not be intercepted in realtime. It could only be read later, after the key was broken, which takes some seven hours and costs $104 on Amazon's cloud servers.

But, in reality, even that "barrier" fell. It turns out that, by default, Apache's mod_ssl will only generate a single export RSA key every time it starts up. From then on, it uses the same key over and over again. So, breaking that key once allows realtime decryption of all of the traffic from then on—until the web server gets restarted.

While man-in-the-middle attacks seemed somewhat difficult for attackers to engineer at one point in time, that is really no longer operative (if it ever really was). It is clear that governments, at least, are fully willing to perform such attacks. Any internet service provider (ISP) is perfectly positioned to attack its customers that way, as are the operators of the wireless networks in millions of locations worldwide. But, of course, encryption is meant to thwart man-in-the-middle attacks.

Part of the problem here is that TLS (or, really, its predecessor, SSL) was "designed to be broken", Green said. Because of US government mandates about exporting cryptography, SSL needed to handle both strong and weak encryption. That led to the cipher suite negotiation that would (hopefully) allow clients and servers to arrive at the strongest encryption that both could support. But it also led to attackers exploiting the ability of clients and servers to back down to simpler ciphers and protocols.

FREAK is not the first downgrade vulnerability that we have seen and it certainly won't be the last. POODLE is a famous one that exploited systems that would fall back to SSL 3, rather than require TLS 1.1 or higher, and there have been others. Even ISPs that remove STARTTLS from SMTP server responses are performing a kind of downgrade attack. When protocols are designed with the possibility to downgrade, attackers are going to try to find a way to exploit that. It is something for protocol designers to keep in mind down the road.

Comments (6 posted)

Brief items

Security quotes of the week

I would say running each service on an individual machine is the most secure. Running Each Service on a separate VM is the second most, especially if you are using SELInux/Svirt for separation of your VM's. Third level is running each Service in a different container, (Again you want SELinux for some separation). Fourth is each Service running on the host, (Wrapped with SELinux). Fifth setenforce 0.
Daniel J Walsh (Thanks to Peter Robinson.)

Control is moving back to the center, where powerful companies and governments are creating choke points. They are using those choke points to destroy our privacy, limit our freedom of expression, and lock down culture and commerce. Too often, we give them our permission—trading liberty for convenience—but a lot of this is being done without our knowledge, much less permission.
Dan Gillmor moves away from Apple, Google, and Microsoft products

Some will point out that an MITM [man-in-the-middle] attack on the NSA is not really an 'MITM attack on the NSA' because NSA outsources its web presence to the Akamai CDN (see obligatory XKCD at right). These people may be right, but they also lack poetry in their souls.
Matthew Green (Thanks to Paul Wise.)

Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
Matthew Green (in the same blog post)

Comments (16 posted)

New vulnerabilities

apache2: denial of service

Package(s):apache2 CVE #(s):CVE-2015-0228
Created:March 4, 2015 Updated:July 30, 2015
Description: From the openSUSE bug report:

mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash.

Alerts:
Red Hat RHSA-2015:1666-01 httpd24-httpd 2015-08-24
Fedora FEDORA-2015-11792 httpd 2015-07-30
Fedora FEDORA-2015-11689 httpd 2015-07-21
Slackware SSA:2015-198-01 httpd 2015-07-17
Arch Linux ASA-201507-15 apache 2015-07-17
Mandriva MDVSA-2015:093 apache 2015-03-28
Ubuntu USN-2523-1 apache2 2015-03-10
openSUSE openSUSE-SU-2015:0418-1 apache2 2015-03-04
Mageia MGASA-2015-0099 apache 2015-03-06

Comments (none posted)

arc: directory traversal

Package(s):arc CVE #(s):
Created:March 4, 2015 Updated:March 4, 2015
Description: From the Red Hat bugzilla:

It was reported that arc is susceptible to directory traversal.

Alerts:
Fedora FEDORA-2015-0773 arc 2015-03-04
Fedora FEDORA-2015-0754 arc 2015-03-04

Comments (none posted)

cabextract: privilege escalation

Package(s):cabextract CVE #(s):CVE-2015-2060
Created:February 26, 2015 Updated:March 9, 2015
Description: From the Mageia advisory:

A directory traversal issue in cabextract allows writing to locations outside of the current working directory, when extracting a crafted cab file that encodes the filenames in a certain manner (CVE-2015-2060).

Alerts:
Mandriva MDVSA-2015:064 cabextract 2015-03-27
Mageia MGASA-2015-0086 cabextract 2015-02-26
Fedora FEDORA-2015-2746 cabextract 2015-03-09
Fedora FEDORA-2015-2730 cabextract 2015-03-09

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2015-0819 CVE-2015-0820 CVE-2015-0821 CVE-2015-0823 CVE-2015-0824 CVE-2015-0825 CVE-2015-0826 CVE-2015-0829 CVE-2015-0830 CVE-2015-0832 CVE-2015-0834 CVE-2015-0835
Created:February 26, 2015 Updated:March 23, 2015
Description: From the Ubuntu advisory:

Matthew Noorenberghe discovered that whitelisted Mozilla domains could make UITour API calls from background tabs. If one of these domains were compromised and open in a background tab, an attacker could potentially exploit this to conduct clickjacking attacks. (CVE-2015-0819)

Jan de Mooij discovered an issue that affects content using the Caja Compiler. If web content loads specially crafted code, this could be used to bypass sandboxing security measures provided by Caja. (CVE-2015-0820)

Armin Razmdjou discovered that opening hyperlinks with specific mouse and key combinations could allow a Chrome privileged URL to be opened without context restrictions being preserved. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass security restrictions. (CVE-2015-0821)

Atte Kettunen discovered a use-after-free in the OpenType Sanitiser (OTS) in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2015-0823)

Atte Kettunen discovered a crash when drawing images using Cairo in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-0824)

Atte Kettunen discovered a buffer underflow during playback of MP3 files in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information. (CVE-2015-0825)

Atte Kettunen discovered a buffer overflow during CSS restyling in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0826)

A buffer overflow was discovered in libstagefright during video playback in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0829)

Daniele Di Proietto discovered that WebGL could cause a crash in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service. (CVE-2015-0830)

Muneaki Nishimura discovered that a period appended to a hostname could bypass key pinning and HSTS in some circumstances. A remote attacker could potentially exloit this to conduct a Man-in-the-middle (MITM) attack. (CVE-2015-0832)

Alexander Kolesnik discovered that Firefox would attempt plaintext connections to servers when handling turns: and stuns: URIs. A remote attacker could potentially exploit this by conducting a Man-in-the-middle (MITM) attack in order to obtain credentials. (CVE-2015-0834)

Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij, Liz Henry, Byron Campen, Tom Schuster, Ryan VanderMeulen, Christian Holler, Jesse Ruderman, Randell Jesup, Robin Whittleton, Jon Coppeard, and Nikhil Marathe discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-0835, CVE-2015-0836)

Alerts:
Gentoo 201701-15 firefox 2017-01-03
Gentoo 201504-01 firefox 2015-04-07
Mageia MGASA-2015-0126 iceape 2015-04-03
openSUSE openSUSE-SU-2015:0570-1 seamonkey 2015-03-23
Fedora FEDORA-2015-4402 firefox 2015-03-23
Ubuntu USN-2505-1 firefox 2015-02-25
SUSE SUSE-SU-2015:0412-1 firefox 2015-03-03
Ubuntu USN-2505-2 firefox 2015-03-09
SUSE SUSE-SU-2015:0447-1 firefox 2015-03-07
SUSE SUSE-SU-2015:0446-1 firefox 2015-03-07
openSUSE openSUSE-SU-2015:0404-1 firefox, nss 2015-03-01

Comments (none posted)

foreman-proxy: restriction bypass

Package(s):foreman-proxy CVE #(s):CVE-2014-3691
Created:March 4, 2015 Updated:March 4, 2015
Description: From the Red Hat advisory:

It was discovered that foreman-proxy, when running in SSL-secured mode, did not correctly verify SSL client certificates. This could permit any client with access to the API to make requests and perform actions otherwise restricted.

Alerts:
Red Hat RHSA-2015:0288-01 foreman-proxy 2015-03-03
Red Hat RHSA-2015:0287-01 foreman-proxy 2015-03-03

Comments (none posted)

httpd: denial of service

Package(s):httpd CVE #(s):CVE-2014-3583
Created:March 2, 2015 Updated:March 4, 2015
Description: From the CVE entry:

The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.

Alerts:
Gentoo 201701-36 apache 2017-01-15
Red Hat RHSA-2015:1855-01 mod_proxy_fcgi 2015-10-02
Slackware SSA:2015-111-03 httpd 2015-04-21
Fedora FEDORA-2014-17195 httpd 2015-03-16
Ubuntu USN-2523-1 apache2 2015-03-10
Fedora FEDORA-2014-17153 httpd 2015-02-28

Comments (none posted)

kfreebsd-9: denial of service

Package(s):kfreebsd-9 CVE #(s):CVE-2015-1414
Created:February 26, 2015 Updated:May 19, 2015
Description: From the Debian advisory:

Mateusz Kocielski and Marek Kroemeke discovered that an integer overflow in IGMP processing may result in denial of service through malformed IGMP packets.

Alerts:
Debian DSA-3175-2 kfreebsd-9 2015-05-19
Debian DSA-3175-1 kfreebsd-9 2015-02-25

Comments (none posted)

librsvg2: multiple unspecified vulnerabilities

Package(s):librsvg2 CVE #(s):
Created:March 2, 2015 Updated:March 9, 2015
Description: From the Fedora advisory:

Update to 2.40.7. This contains various security fixes for which CVEs have apparently not yet been issued.

From the Mageia bug report:

Version 2.40.7

  • - Bugs fixed from fuzz testing: #703102, #738050, #738169, #744270, #744299
  • - Fixed unfiled bug from fuzz testing, where the convolution filter had an integer multiplication overflow.
  • - Fix build of rsvg-convert on Windows.
  • - Fix a bunch of compiler warnings.
Alerts:
Mageia MGASA-2015-0100 librsvg 2015-03-08
Fedora FEDORA-2015-2134 librsvg2 2015-02-28
Fedora FEDORA-2015-2166 librsvg2 2015-02-28

Comments (none posted)

libuv: privilege escalation

Package(s):libuv CVE #(s):CVE-2015-0278
Created:March 2, 2015 Updated:November 17, 2016
Description: From the Red Hat bugzilla:

It was found that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges.

Alerts:
Gentoo 201611-10 libuv 2016-11-17
Mandriva MDVSA-2015:228 nodejs 2015-05-06
Mageia MGASA-2015-0186 nodejs 2015-05-05
Fedora FEDORA-2015-2313 v8 2015-02-28
Fedora FEDORA-2015-2313 nodejs 2015-02-28
Fedora FEDORA-2015-2313 libuv 2015-02-28
Fedora FEDORA-2015-2310 v8 2015-03-13
Fedora FEDORA-2015-2310 nodejs 2015-03-13
Fedora FEDORA-2015-2310 libuv 2015-03-13

Comments (none posted)

mozilla: code execution

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2015-0828
Created:March 2, 2015 Updated:March 4, 2015
Description: From the CVE entry:

Double free vulnerability in the nsXMLHttpRequest::GetResponse function in Mozilla Firefox before 36.0, when a nonstandard memory allocator is used, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted JavaScript code that makes an XMLHttpRequest call with zero bytes of data.

Alerts:
Gentoo 201701-15 firefox 2017-01-03
Gentoo 201504-01 firefox 2015-04-07
Mageia MGASA-2015-0126 iceape 2015-04-03
openSUSE openSUSE-SU-2015:0570-1 seamonkey 2015-03-23
openSUSE openSUSE-SU-2015:0404-1 firefox, nss 2015-03-01

Comments (none posted)

python-rope: code execution

Package(s):python-rope CVE #(s):CVE-2014-3539
Created:March 4, 2015 Updated:April 1, 2015
Description: The python-rope utility has been caught passing remotely supplied data to pickle.load(), enabling possible code-execution attacks. See the Red Hat bug entry for details.
Alerts:
Mageia MGASA-2015-0122 python-rope 2015-04-01
openSUSE openSUSE-SU-2015:0413-1 python-rope 2015-03-03

Comments (none posted)

request-tracker: multiple vulnerabilities

Package(s):request-tracker4 CVE #(s):CVE-2014-9472 CVE-2015-1165 CVE-2015-1464
Created:February 27, 2015 Updated:April 6, 2015
Description:

From the Debian advisory:

CVE-2014-9472 - Christian Loos discovered a remote denial of service vulnerability, exploitable via the email gateway and affecting any installation which accepts mail from untrusted sources. Depending on RT's logging configuration, a remote attacker can take advantage of this flaw to cause CPU and excessive disk usage.

CVE-2015-1165 - Christian Loos discovered an information disclosure flaw which may reveal RSS feeds URLs, and thus ticket data.

CVE-2015-1464 - It was discovered that RSS feed URLs can be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed.

Alerts:
Fedora FEDORA-2015-4666 rt 2015-04-04
Debian-LTS DLA-158-1 request-tracker3.8 2015-02-27
Debian DSA-3176-1 request-tracker4 2015-02-26

Comments (none posted)

qt: denial of service

Package(s):qt CVE #(s):CVE-2015-0295
Created:March 4, 2015 Updated:April 22, 2015
Description: From the Qt security advisory:

It is possible to construct BMP files such that when calculating the masks required to extract the colour components a division by zero occurred.

An application loading the malicious BMP file will crash.

Alerts:
Ubuntu USN-2626-1 qt4-x11, qtbase-opensource-src 2015-06-03
Fedora FEDORA-2015-6925 mingw-qt5-qtbase 2015-05-04
Debian-LTS DLA-210-1 qt4-x11 2015-04-30
Slackware SSA:2015-111-13 qt 2015-04-21
openSUSE openSUSE-SU-2015:0573-1 kdebase4-runtime, 2015-03-23
Fedora FEDORA-2015-2895 qt 2015-03-04
Fedora FEDORA-2015-2901 qt3 2015-03-09
Mageia MGASA-2015-0105 qt3, qt4, qt5base 2015-03-12
Fedora FEDORA-2015-2897 qt 2015-03-06
Fedora FEDORA-2015-2886 qt3 2015-03-09

Comments (none posted)

unace: code execution

Package(s):unace CVE #(s):CVE-2015-2063
Created:March 3, 2015 Updated:March 4, 2015
Description: From the Debian advisory:

Jakub Wilk discovered that unace, an utility to extract, test and view .ace archives, contained an integer overflow leading to a buffer overflow. If a user or automated system were tricked into processing a specially crafted ace archive, an attacker could cause a denial of service (application crash) or, possibly, execute arbitrary code.

Alerts:
Debian-LTS DLA-164-1 unace 2015-03-03
Debian DSA-3178-1 unace 2015-03-02

Comments (none posted)

vorbis-tools: denial of service

Package(s):vorbis-tools CVE #(s):CVE-2014-9638 CVE-2014-9639
Created:March 2, 2015 Updated:March 18, 2015
Description: From the CVE entries:

oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero. (CVE-2014-9638)

Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access. (CVE-2014-9639)

Alerts:
Debian-LTS DLA-317-1 vorbis-tools 2015-09-29
Arch Linux ASA-201503-24 vorbis-tools 2015-03-25
openSUSE openSUSE-SU-2015:0522-1 vorbis-tools 2015-03-18
Fedora FEDORA-2015-2330 vorbis-tools 2015-02-28
Fedora FEDORA-2015-2335 vorbis-tools 2015-02-28
Mageia MGASA-2015-0094 vorbis-tools 2015-03-05

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds