Information Security News
I recorded an updated Internet Storm Center Briefing for today's OpenSSL patches. It corrects a couple of mistakes from this afternoon's live presentation and adds additional details to CVE-2014-0195.
HP's Zero Day Initiative released a few more details about this bug explaining the nature of the problem. It is actually remarkably similar to some of the IP fragmentation bug we have see in the past.
DTLS attempts to avoid IP fragmentation. But many SSL related messages contain data (for example certificates) that exceed common network MTUs. As a result, DTLS fragments the messages. Each message fragment contains 3 length related fields:
- Message size (Length) - this is the total size after reassembly. Should be same for all fragments
- Fragment Offset - where does this fragment fit in the original message.
- Fragment Length - how much data does this fragment contain.
If there is no fragmentation, the fragment length is equal to the message size. However, if the fragment length is less then the message size, we do have fragmentation. Each fragment should indicate the same message size.
This is different from IP. In IP, the fragment does not know how large the original package was, and we use the "more fragment" flag to figure out when all fragments are received.
Once OpenSSL receives a fragment, it allocates "Length" bytes to reassemble the entire message. However, the trick is that the next fragment may actually indicate a larger message size, and as a result, deliver more data then OpenSSL reserved, leading to a typical buffer overflow.
You can see the complete source code at HP's blog, including a Wireshark display of a PoC packet. This essentially provides a PoC for this vulnerability. Interestingly Wireshark does recognize this as an error.
(this is different, but sort of reminds me of the OpenBSD mbuf problem in IPv6, CVE-2007-1365)
The Linux operating system kernel has been patched against yet another flaw that leaves servers in some shared Web hosting environments susceptible to hijacking.
The vulnerability, formally cataloged as CVE-2014-3153, is located in the futex subsystem of Linux, according to an advisory published Thursday by Debian, a distributor of the open source OS. The flaw allows untrusted users with unprivileged system access to escalate their control. From there, they can crash the system or do other nefarious things, including possibly executing malicious code.
"Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall," the advisory stated. "An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation."
A researcher has uncovered another severe vulnerability in the OpenSSL cryptographic library. It allows attackers to decrypt and modify Web, e-mail, and virtual private network traffic protected by the transport layer security (TLS) protocol, the Internet's most widely used method for encrypting traffic traveling between end users and servers.
The TLS bypass exploits work only when traffic is sent or received by a server running OpenSSL 1.0.1 and 1.0.2-beta1, maintainers of the open-source library warned in an advisory published Thursday. The advisory went on to say that servers running a version earlier than 1.0.1 should update as a precaution. The vulnerability has existed since the first release of OpenSSL, some 16 years ago. Library updates are available on the front page of the OpenSSL website. People who administer servers running OpenSSL should update as soon as possible.
The underlying vulnerability, formally cataloged as CVE-2014-0224, resides in the ChangeCipherSpec processing, according to an overview published Thursday by Lepidum, the software developer that discovered the flaw and reported it privately to OpenSSL. It makes it possible for attackers who can monitor a connection between an end user and server to force weak cryptographic keys on client devices. Attackers can then exploit those keys to decrypt the traffic or even modify the data before sending it to its intended destination.
by Sean Gallagher
The Defense Advanced Research Projects Agency is preparing to kick off the Cyber Grand Challenge, a tournament that will pit 30 teams of security researchers from industry, academia, and “the larger security community” against each other in a capture-the-flag style battle of network warfare domination. The contest, which is designed to help DARPA identify the best in automated network and computer security defense systems, will culminate in a final battle to be held at the DEF CON security conference in Las Vegas in 2016.
The winning team of the tournament will take home a cash prize of $2 million. The second and third place teams will be awarded $1 million and $750,000, respectively.
“DARPA anticipates that the two-year Challenge and its culmination in an event synchronized with DEF CON will not only accelerate the development of capable, automated network defense systems, but also encourage the diverse communities now working on computer and network security issues in the public and private sectors to work together in new ways,” an agency spokesperson said in an official statement on the event. “This dynamic is crucial if information security practitioners are to pull ahead of adversaries persistently looking to take advantage of network weaknesses.”
Chrome, Internet Explorer, and Firefox are vulnerable to easy-to-execute techniques that allow unscrupulous websites to construct detailed histories of sites visitors have previously viewed, an attack that revives a long-standing privacy threat many people thought was fixed.
[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well.
Quick Q&A Summary from the webcast:
- The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.
- The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)
- Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC
â- Web servers (https) can not use DTLS.
- OpenVPN's "auth-tls" feature will likely mitigate all these vulnerabilities
- Even if you use "commercial software", it may still use OpenSSL.
All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs... not so much HTTPS).
I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .
CVE-2010-5298 does allow third parties to inject data into existing SSL connections. This could be a big deal, but according to the OpenSSL advisory, the SSL_MODE_RELEASE_BUFFERS feature is usually not enabled.
Make sure you update to one of these OpenSSL versions:
OpenSSL 0.9.8za (openssl ran out of letters, so instead of calling this one 'z' they call it 'za' to allow for future releases. However, this *may* be the last 0.9.8 release).
|CVE-2014-0224||SSL/TLS MITM Vulnerability||MiTM||Server: 1.0.1, Client: 0.9.8,1.0.0,1.0.1 (both have to be vulnerable)||Critical||Important|
|CVE-2014-0221||DTLS recursion flaw||DoS||0.9.8,1.0.0,1.0.1||Important||Not Affected|
|CVE-2014-0195||DTLS invalid fragment vulnerability||Code Exec.||0.9.8,1.0.0,1.0.1||Critical||Critical|
|CVE-2014-0198||SSL_MODE_RELEASE_BUFFERS NULL pointer dereference||DoS||1.0.0,1.0.1
(neither affected in default config)
|CVE-2010-5298||SSL_MODE_RELEASE_BUFFERS session injection||DoS or Data Injection||1.0.0, 1.0.1
(in multithreaded applications, not in default config)
|CVE-2014-3470||Anonymous ECDH Denial of Service||DoS||0.9.8, 1.0.0, 1.0.1||Important||Not Affected|