Bug 1252470 - KCI attacks against TLS
KCI attacks against TLS
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1252472
Blocks: 1377709
  Show dependency treegraph
Reported: 2015-08-11 09:52 EDT by Adam Mariš
Modified: 2016-09-22 09:45 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-11 09:52:13 EDT
The conference paper linked below introduces a novel KCI attack against several TLS libraries.

All TLS implementations supporting non-ephemeral (Elliptic Curve) Diffie-Hellman key exchange with fixed (Elliptic Curve) Diffie-Hellman client authentication are vulnerable to this attack, including OpenSSL v1.0.2. No other versions of OpenSSL are vulnerable.

Attacker possessing a client certificate with the corresponding secret key will be able to impersonate other servers, posing as a man-in-the-middle, while being able to eavesdrop on and modify plaintext messages at will.

Research paper with flaw details:


External References:

Comment 1 Adam Mariš 2015-08-11 09:52:55 EDT
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1252472]
Comment 2 Tomas Hoger 2016-09-22 06:34:59 EDT
Linked paper includes the following info about OpenSSL:

  The currently most commonly used branches of the OpenSSL library (branches
  0.9.8, 1.0.0, and 1.0.1) do not support the necessary TLS options (so
  systems such as Google Android seem to be safe at this time). However, the
  source code of the OpenSSL library contains ‘TODO’s in the source code for
  implementing support for fixed ECDH handshakes. Not much code is missing
  for fixed ECDH support in OpenSSL (we added basic support with only a few
  lines of code for our MitM setup). After engaging the OpenSSL developer
  team during the responsible disclosure process, we found that the newest
  branch (branch 1.0.2) just recently added support for static DH, but not
  (yet) for fixed ECDH handshakes. That means, client that use the 1.0.2
  branch of OpenSSL might as well be vulnerable to our attack.

This is apparently referring to:

Comment 4 Tomas Hoger 2016-09-22 09:45:27 EDT
OpenSSL 1.0.1u, 1.0.2i, and 1.1.0a address KCI issue for GOST cipher suites:


GOST support is not enabled in OpenSSL packages in Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.