Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SSL Vulnerability

From: aleph1 () DFW NET (Aleph One)
Date: Fri, 26 Jun 1998 09:48:19 -0500

http://www.c2.net/products/stronghold/support/PKCS1.php

  Background

   Last week, RSA Data Security notified C2Net Software of a potential
   vulnerability that affects the SSL protocol. C2Net Software has
   developed a pre-emptive patch which is implemented in the latest
   version of Stronghold 2.3. This document is intended to address
   questions C2Net customers may have about the implications of that
   discovery to their own site.

  Technical information

   This vulnerability involves a chosen ciphertext attack discovered by
   researcher Daniel Bleichenbacher at Bell Labs against
   interactive key establishment protocols that use PKCS1, such as SSL.
   This can result in the compromise of the session key used for a
   particular session after repeatedly sending approximately one million
   carefully constructed messages and observing the server's response.

   Please see our press release and advisory for additional
   details. RSA Labs brought this attack to our attention and their
   site contains a more technical overview. CERT will also issue a
   bulletin, as will a number of other web server vendors.

  What does it mean?

   There is potential for a sophisticated user to be able to decrypt a
   recorded session's session key and use that to obtain the data
   transmitted during that session if they have access to a server they
   can use to send approximately one million carefully selected messages
   to your server and see what errors it reports. Note that this attack
   has to be repeated approximately a million times for each and every
   session that an attacker wishes to compromise, because the server's
   private key remains uncompromised as a result of this attack.

  How can I tell if I'm being attacked?

   For each of the approximately 1 million or so messages necessary to
   attack a single session, the following 3 lines will be logged in your
   ssl/error_log file:
   1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block
   type is not 02:rsa_pk1.c:207
   1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check
   failed:rsa_eay.c:330
   1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa
   decrypt:s3_srvr.c:1259

   NOTE that this equates to about 300MB for an attack on a single
   session. Although running out of space on the partition your log files
   are written to could definitely be an indication, we suggest keeping
   an eye out for any usual growth in the size of this file.

  What can I do to protect myself?

   This vulnerability has only been reported in a research environment
   and there have not been reports of sites experiencing this attack
   outside of that. However, the publication of this type of
   vulnerability may enable sophisticated users to implement it.
   Customers are urged to upgrade as a precaution to the latest
   version of Stronghold 2.3, which supports this fix as of build
   2010 for customers in the US/Canada, build 2051 for customers
   elsewhere. You can determine which version you are running from the
   output of httpsd -v.

  What other vendors/products are affected?

   All major vendors have announced that they are working on patched
   versions of their web servers products to combat this potential
   vulnerability. This vulnerability is not limited to web servers.
   Products using SSL to do secure tunneling, for example, may also be
   affected.

Sites with other information:

http://www.rsa.com/rsalabs/
http://www.ssleay.org/announce/pkcs1.html
http://www.microsoft.com/security/bulletins/ms98-002.htm
http://www.openmarket.com/security/
http://help.netscape.com/products/server/ssldiscovery/
http://www.consensus.com/ssl-rsa.html
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/README.PKCS1
Previous By Date Next
Previous By Thread Next

Current thread: