OpenSSL Security Advisory

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL Security Advisory

openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

OpenSSL Security Advisory [09 September 2020]
=============================================

Raccoon Attack (CVE-2020-1968)
==============================

Severity: Low

The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker being able to compute the pre-master secret in connections which
have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
result in the attacker being able to eavesdrop on all encrypted communications
sent over that TLS connection. The attack can only be exploited if an
implementation re-uses a DH secret across multiple TLS connections. Note that
this issue only impacts DH ciphersuites and not ECDH ciphersuites.

OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
does not implement any "static" DH ciphersuites.

OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used. These static "DH" ciphersuites are ones that start with the
text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
ciphersuites all start with "TLS_DH_" but excludes those that start with
"TLS_DH_anon_".

OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
explicitly configured. Therefore all ciphersuites that use DH in servers
(including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
response to CVE-2016-0701.

Since the vulnerability lies in the TLS specification, fixing the affected
ciphersuites is not viable. For this reason 1.0.2w moves the affected
ciphersuites into the "weak-ssl-ciphers" list. Support for the
"weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
interoperability problems in most cases since use of these ciphersuites is rare.
Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
compile time with the "enable-weak-ssl-ciphers" option. This is not recommended.

OpenSSL 1.0.2 is out of support and no longer receiving public updates.

Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
that affected ciphersuites are disabled through runtime configuration. Also
note that the affected ciphersuites are only available on the server side if a
DH certificate has been configured. These certificates are very rarely used and
for this reason this issue has been classified as LOW severity.

This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj
Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
allow co-ordinated disclosure with other implementations.

Note
====

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
The impact of this issue on OpenSSL 1.1.0 has not been analysed.

Users of these versions should upgrade to OpenSSL 1.1.1.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20200909.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
=U7OO
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL Security Advisory

OpenSSL - User mailing list
On 2020-09-09 14:39, OpenSSL wrote:

> OpenSSL Security Advisory [09 September 2020]
> =============================================
>
> Raccoon Attack (CVE-2020-1968)
> ==============================
>
> Severity: Low
>
> The Raccoon attack exploits a flaw in the TLS specification which can lead to
> an attacker being able to compute the pre-master secret in connections which
> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would
> result in the attacker being able to eavesdrop on all encrypted communications
> sent over that TLS connection. The attack can only be exploited if an
> implementation re-uses a DH secret across multiple TLS connections. Note that
> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
>
> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and
> does not implement any "static" DH ciphersuites.
>
> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> ciphersuite is used. These static "DH" ciphersuites are ones that start with the
> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these
> ciphersuites all start with "TLS_DH_" but excludes those that start with
> "TLS_DH_anon_".
>
> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
> connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
> explicitly configured. Therefore all ciphersuites that use DH in servers
> (including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f
> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off as a
> response to CVE-2016-0701.
>
> Since the vulnerability lies in the TLS specification, fixing the affected
> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
> interoperability problems in most cases since use of these ciphersuites is rare.
> Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at
> compile time with the "enable-weak-ssl-ciphers" option. This is not recommended.
>
> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
>
> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
> upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
> that affected ciphersuites are disabled through runtime configuration. Also
> note that the affected ciphersuites are only available on the server side if a
> DH certificate has been configured. These certificates are very rarely used and
> for this reason this issue has been classified as LOW severity.
>
> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj
> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to
> allow co-ordinated disclosure with other implementations.
>
> Note
> ====
>
> OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended
> support is available for premium support customers:
> https://www.openssl.org/support/contracts.html
>
> OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
>
> Users of these versions should upgrade to OpenSSL 1.1.1.
>
> References
> ==========
>
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv/20200909.txt
>
> Note: the online version of the advisory may be updated with additional details
> over time.
>
> For details of OpenSSL severity classifications please see:
> https://www.openssl.org/policies/secpolicy.html
>
Wouldn't a more reasonable response for 1.0.2 users have been to force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected cipher
suites
and telling affected people to recompile with the fix off?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL Security Advisory

Tomas Mraz-2
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
> Wouldn't a more reasonable response for 1.0.2 users have been to
> force on
> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
> cipher
> suites
> and telling affected people to recompile with the fix off?

You seem to be mixing two different affected things. One is the static
DH ciphersuites. There is no remediation for these except for not using
them. Fortunately they are not really used by anyone. This can be
achieved on the server side by simply not providing the DH certificate.
On the client side they can be dropped from the ciphers string. This is
the "deprecating affected cipher suites" change part.

On the other hand the reuse of DH key for ephemeral DH can be only
disabled by setting SSL_OP_SINGLE_DH_USE by the calling server application. This is the part relevant for wider audience.

So yes, both issues can be remediated by application calling the
OpenSSL library. On the other hand it is not always possible to change
the application so we also provide fix to premium support customers in
terms of changing the openssl code.

--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]


Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL Security Advisory

OpenSSL - User mailing list
On 2020-09-10 09:03, Tomas Mraz wrote:

> On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
>> Wouldn't a more reasonable response for 1.0.2 users have been to
>> force on
>> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
>> cipher
>> suites
>> and telling affected people to recompile with the fix off?
>
> You seem to be mixing two different affected things. One is the static
> DH ciphersuites. There is no remediation for these except for not using
> them. Fortunately they are not really used by anyone. This can be
> achieved on the server side by simply not providing the DH certificate.
> On the client side they can be dropped from the ciphers string. This is
> the "deprecating affected cipher suites" change part.
>
> On the other hand the reuse of DH key for ephemeral DH can be only
> disabled by setting SSL_OP_SINGLE_DH_USE by the calling server application. This is the part relevant for wider audience.
>
> So yes, both issues can be remediated by application calling the
> OpenSSL library. On the other hand it is not always possible to change
> the application so we also provide fix to premium support customers in
> terms of changing the openssl code.
>


The advisory didn't include this clarification, and didn't state if
1.0.2w fixes the DHE case by doing what 1.1.x does and act like
SSL_OP_SINGLE_DH_USE is always set.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL Security Advisory

Matt Caswell-2


On 10/09/2020 16:14, Jakob Bohm via openssl-users wrote:

> On 2020-09-10 09:03, Tomas Mraz wrote:
>> On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
>>> Wouldn't a more reasonable response for 1.0.2 users have been to
>>> force on
>>> SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
>>> cipher
>>> suites
>>> and telling affected people to recompile with the fix off?
>>
>> You seem to be mixing two different affected things. One is the static
>> DH ciphersuites. There is no remediation for these except for not using
>> them. Fortunately they are not really used by anyone. This can be
>> achieved on the server side by simply not providing the DH certificate.
>> On the client side they can be dropped from the ciphers string. This is
>> the "deprecating affected cipher suites" change part.
>>
>> On the other hand the reuse of DH key for ephemeral DH can be only
>> disabled by setting SSL_OP_SINGLE_DH_USE by the calling server
>> application. This is the part relevant for wider audience.
>>
>> So yes, both issues can be remediated by application calling the
>> OpenSSL library. On the other hand it is not always possible to change
>> the application so we also provide fix to premium support customers in
>> terms of changing the openssl code.
>>
>
>
> The advisory didn't include this clarification,

Isn't the text below from the advisory more-or-less what Tomas said?

"OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
ciphersuite is used
...
Since the vulnerability lies in the TLS specification, fixing the
affected ciphersuites is not viable. For this reason 1.0.2w moves the
affected ciphersuites into the "weak-ssl-ciphers" list."


> and didn't state if
> 1.0.2w fixes the DHE case by doing what 1.1.x does and act like
> SSL_OP_SINGLE_DH_USE is always set.

The advisory says that SSL_OP_SINGLE_DH_USE was made the default in 1.0.2f:

"OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
connections in server processes unless the SSL_OP_SINGLE_DH_USE option
was explicitly configured. Therefore all ciphersuites that use DH in
servers (including ephemeral DH) are vulnerable in these versions. In
OpenSSL 1.0.2f SSL_OP_SINGLE_DH_USE was made the default and it could
not be turned off as a response to CVE-2016-0701."

Matt