Professional Documents
Culture Documents
ciphers)
15 04 HTTP .sys
(MS15-034)
15 05 LOGJAM
They can simulate the server cryptographically because they know how to crack the discrete LOG
problem for 512-bit primes using a pre-calculated dataset and a Number Field Sieve technique,
whereupon they JAM the forged results into their own replies.
Because the connection between the MiTM and the server is only export-grade, the attackers can
extract the session keys agreed during the TLS setup, and therefore read and modify the rest of the
sessions traffic.
15 03 FREAK
A TLS session using export grade RSA encryption (512-bit RSA keys) can be sniffed,
saved, and then fairly easily cracked later on. Today, we are talking about two
weeks of cracking on a decent $2000 laptop, or 12 hours and $100 using Amazons cloud.
Additionally, many servers use the same hardware-RSA key over and over again. In theory, this is not a
bad thing, because RSA keys arent supposed to be crackable, so you can save processing power by not
creating a new key every time.
But in the context of FREAK, it may mean that, after cracking a servers export grade key, you can use
the result to decrypt other sessions, using the same key, without paying another $100 (and without
waiting another 12 hours).
Cracking an RSA key is done by a technique known as factoring the modulus, something that is
supposed to be computationally unfeasbile, except in the case of export grade keys.
Loosely speaking, that means you decompose the key into its public part (which is supposed to be
public) and its private part (which you are never, ever supposed to get your hands on).
With the private key, you can now sign traffic from your own imposter website as though it came from a
trusted third party.
Indeed, the team behind the original FREAK research claim to have done just that to create a fake nsa
dot gov.
OpenSSL updated its code in January, so versions from 1.0.1k onwards dont have this bug. Microsoft
has published a list of workarounds that turn off export grade TLS encryption on Windows, which
prevents FREAK attacks from working.
See more at: Critical glibc Vulnerability Puts All Linux Machines at Risk https://wp.me/p3AjUX-ufb
Remote code execution is possible, but not straightforward. It needs to bypass the security mitigations
present on the system, such as ASLR.
See more at: Critical glibc Vulnerability Puts All Linux Machines at Risk https://wp.me/p3AjUX-ufb
It actually exists only in some versions of a software module called glibc, short for GNU C library;
its not used by default on Windows, OS X, iOS or Android. The issue affects all versions of glibc since
2.9
The bad news is that many, if not most, computers running Linux do use glibc, and may be at risk.
If you have any Linux-based systems, including home firewalls and routers:
Check with your vendor, or the maker of your distribution, to see if you need a patch.
If you do, make plans to apply the patch as soon as you can.
Oh, and if you are a programmer, you shouldnt really be using the gethostbyname functions anyway.
They were superseded many years ago by the much more flexible and useful function getaddrinfo(),
which you should use instead.
The bug can be used by an attacker for drive-by attacks to reliably run code
remotely and take over the users machine even sidestepping the Enhanced
Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced
Mitigation Experience Toolkit (EMET) anti-exploitation tool .
At this time, there is no evidence that the bug has been exploited in the wild.
This is perhaps in part due to the difficulty of exploiting CVE-2014-6332. Fixed array element sizes, few
opportunities for attackers to place arbitrary data where VBScript arrays were stored on the browser
heap, and the enforcement of variant type compatibility all have complicated attackers attempts up
until recently.
However, Freeman and his IBM X-Force Research team created a PoC and published detailed
information describing possible exploit steps for the vulnerability using VBscript.
MS November 2014 Patch Tuesday included remediation for this vulnerability.
14 10 POODLE
And you can tell your servers not to offer or to accept SSL 3.0 connections, so that you can never be
tricked into accepting a malicious sequence of POODLE downgrade requests.
only about 1 in 1000 users make SSL 3.0 connections at all.
Those 1 in 1000 users have much bigger problems than POODLE: most of them are using SSL 3.0 because
theyre still running IE 6 on Windows XP.
And thats a story for another day
14 04 HEARTBLEED
The bug only exists in the OpenSSL 1.0.1 source code (from version 1.0.1 to 1.0.1f
inclusive), because the faulty code relates to a fairly new feature known as the TLS
Heartbeat Extension.
The heartbeat extension was first documented in RFC 6520 in February 2012.
TLS heartbeats are used as keep alive packets so that the ends of an encrypted connection can agree
to keep the session open even when they dont have any official data to exchange.
Because the heartbeats consist of a reply and a matching response, they allow either end to confirm not
only that the session is open, but also that end-to-end connectivity is working properly.
https://xkcd.com/1354/
The HTTP pages must include both the PII that I want to guess and some chosen plaintext that I can
control.
The server must be requested, and configured, to serve the pages with compression turned on.
I need to persuade you, while you are logged in, to visit a page containing my malicious do-lots-ofsearches JavaScript.
I have to know what sort of PII I am looking for in order to structure my searches correctly.
I have to be able to sniff your traffic in sufficient detail to recover the length of each HTTP reply.
So, if you run a web server and you turn off compression for any pages that inlcude PII, you neutralise
this attack.
On the other side of the equation, you may be able to force your browser not to invite the use of HTTP
compression in the first place, thus neutralising the attack.
Once those first two bytes are cracked, a further 14 bytes can be cracked, one byte at a time, by trying
all 256 possible tweaks of each byte, for a total tweak cost of 216 + 1428.
And thats the Lucky Thirteen attack.
Its not a terribly practical attack, not least because perfect timing measurements are impossible:
Each tweak attempt causes a TLS session to terminate, which may be both noticeable and timeconsuming.
Each tweaked session needs to have the same plaintext at the same packet location for the
tweaking to be done exhaustively.
The authors needed 27 repetitions of an exhaustive set of 216 tweaks (thats eight million dud
TLS sessions!) to produce enough statistically-significant timing data for a reliable result.
Oh, and that was under ideal network circumstances, with the TLS client, server and MiTM computer on
the same dedicated LAN.
Nevertheless, its an important result because, as mentioned above, it punctures some of the
cryptographic sanctity that TLS is supposed to provide.
Solutions and mitigations, which designers of future protocols might bear in mind, include:
Design and write your code so it isnt measurably quicker or slower when errors occur, even if
this means performing redundant computations.
Use a stream cipher, not a block cipher, to avoid the need for plaintext padding.
Checksum the data after encryption, rather than encrypting the checksum. This ensures that the
quantity of data to be checksummed does not depend on the plaintext.
Use an authenticated encryption algorithm, like AES-GCM, that combines checksumming and
ciphering.
Interestingly, the last-listed mitigation above (use authenticated encryption) is already supported in TLS
version 1.2, which came out in 2008.
11 09 BEAST attack
In order to mount this attack, an adversary would need to be watching your internet
connection (MITM), and be able to force you to start your next TLS record with a
given string of his choice, and be able to guess something sensitive that you said
earlier, and guess which part of your TLS stream might have corresponded to it.
..and know the the ciphertext of the last block of the last message which is then
going to be used as the IV for the next message (SSL all versions and TLS1.0 only; TLS1.1 & 1.2 are not
vulnerable to this as IV ranomization is implemented).