Bleichenbacher Vulnerability

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bleichenbacher Vulnerability

haris iqbal
Hi,

I was wondering when exactly (the version) was the OpenSSL library
patched for the Bleichenbacher Vulnerability?

Since the Bleichenbacher Vulnerability had a number of variations,
most recently ROBOT being one of them, I wanted to know whether
OpenSSL is immune to this attack because of a patch sometime in the
past, or it is always been immune.

Wanted to know this, since my custom application uses an older version
of OpenSSL, and I wanted to be sure that it is not affected.

--

With regards,

Md Haris Iqbal,
Contact: +91 8861996962
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Bleichenbacher Vulnerability

M K Saravanan
On 20 December 2017 at 14:21, haris iqbal <[hidden email]> wrote:
> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.

Not answering your original question.  But you can test it using one
of the following tools:

========
The following tools have checks that will cover ROBOT:

testssl.sh has a test closely modelled after our own one. A snapshot
is available, it's not yet part of a release. It also supports SNI and
STARTTLS, which our test does not.

TLS-Attacker already contained Bleichenbacher checks before our
research, version 2.2 was extended with additional checks to cover all
ROBOT variations.

SSLLabs has added a check in their development version.

Tripwire IP360 added detection for vulnerable F5 devices in ASPL-753
which was released in coordination with F5's public advisory. Generic
detection of Bleichenbacher oracles will be released in coordination
with this publication.

tlsfuzzer has an extensive test script for Bleichenbacher vulns,
though it will also complain about misbehaving servers that are not
necessarily vulnerable.

SSLyze added support for ROBOT detection after our disclosure.
=========
Ref: https://robotattack.org/

-- mks --
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Bleichenbacher Vulnerability

Hanno Böck-4
In reply to this post by haris iqbal
Hi,

On Wed, 20 Dec 2017 11:51:39 +0530
haris iqbal <[hidden email]> wrote:

> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?

It was probably fixed some time in the late 90s. However according to
https://www.openssl.org/news/changelog.html

the countermeasures were accidentally removed in some 0.9.6 version.

However there also was a 2012/2013 timing version of the attack fixed
here:
https://github.com/openssl/openssl/commit/adb46dbc6dd7347750df2468c93e8c34bcb93a4b

We also observed some old Openssl 0.9.8g crashing when we ran
bleichenbacher scans against it, but we haven't entirely analyzed this.

> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.

Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
your worries.



--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Bleichenbacher Vulnerability

Bodo Moeller
Hanno Böck <[hidden email]>:

> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?
 
It was probably fixed some time in the late 90s. However according to
https://www.openssl.org/news/changelog.html

the countermeasures were accidentally removed in some 0.9.6 version.

The original countermeasure had been present back in SSLeay, but it also had never actually worked at all until I accidentally removed it from s3_srvr.c in 0.9.5 (not 0.9.6) and put it back in 0.9.6g with a fix. The original implementation would have generated a randomized master secret but then still ended the handshake with an error alert, thus achieving nothing. The main takeaway from that is that good source code comments are invaluable, because reverse-engineering the intentions underlying the code can be particularly hard if said code doesn't actually do what it's intended to do :-)

Of course, in the end the 0.9.6g fix didn't achieve too much (other than adding a source code explaining what that randomization was all about), because the RFC 2246 countermeasure was still subject to the Klíma-Pokorný-Rosa attack discovered later (and first addressed in 0.9.6j). And of course, as you've already pointed out, that still left timing attacks.

> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.
 
Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
your worries.

I completed agree. If you're using an "older version of OpenSSL", likely it's subject to a few vulnerabilities with and without logos, and thus is not what you should be running today.

Bodo


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Bleichenbacher Vulnerability

haris iqbal
Thanks for the response.


> Don't do this. Switch to a supported version. There's no way you will
> plausibly keep this secure. Bleichenbacher attacks may be the least of
> your worries.

I am actually using version 1.0.1h.

>  And of course, as you've already pointed out, that still left timing attacks.

So, when was this timing attack fixed?

On Wed, Dec 20, 2017 at 9:46 PM, Bodo Moeller <[hidden email]> wrote:

> Hanno Böck <[hidden email]>:
>
>> > I was wondering when exactly (the version) was the OpenSSL library
>> > patched for the Bleichenbacher Vulnerability?
>
>
>>
>> It was probably fixed some time in the late 90s. However according to
>> https://www.openssl.org/news/changelog.html
>>
>> the countermeasures were accidentally removed in some 0.9.6 version.
>
>
> The original countermeasure had been present back in SSLeay, but it also had
> never actually worked at all until I accidentally removed it from s3_srvr.c
> in 0.9.5 (not 0.9.6) and put it back in 0.9.6g with a fix. The original
> implementation would have generated a randomized master secret but then
> still ended the handshake with an error alert, thus achieving nothing. The
> main takeaway from that is that good source code comments are invaluable,
> because reverse-engineering the intentions underlying the code can be
> particularly hard if said code doesn't actually do what it's intended to do
> :-)
>
> Of course, in the end the 0.9.6g fix didn't achieve too much (other than
> adding a source code explaining what that randomization was all about),
> because the RFC 2246 countermeasure was still subject to the
> Klíma-Pokorný-Rosa attack discovered later (and first addressed in 0.9.6j).
> And of course, as you've already pointed out, that still left timing
> attacks.
>
>> > Wanted to know this, since my custom application uses an older version
>> > of OpenSSL, and I wanted to be sure that it is not affected.
>
>
>>
>> Don't do this. Switch to a supported version. There's no way you will
>> plausibly keep this secure. Bleichenbacher attacks may be the least of
>> your worries.
>
>
> I completed agree. If you're using an "older version of OpenSSL", likely
> it's subject to a few vulnerabilities with and without logos, and thus is
> not what you should be running today.
>
> Bodo
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



--

With regards,

Md Haris Iqbal,
Contact: +91 8861996962
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users