1252470 – KCI attacks against TLS

Bug 1252470 - KCI attacks against TLS

Summary: KCI attacks against TLS

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1252472
Blocks:	1377709
TreeView+	depends on / blocked

Reported:	2015-08-11 13:52 UTC by Adam Mariš
Modified:	2021-02-17 05:02 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-08 02:43:03 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2015-08-11 13:52:13 UTC

The conference paper linked below introduces a novel KCI attack against several TLS libraries.

All TLS implementations supporting non-ephemeral (Elliptic Curve) Diffie-Hellman key exchange with fixed (Elliptic Curve) Diffie-Hellman client authentication are vulnerable to this attack, including OpenSSL v1.0.2. No other versions of OpenSSL are vulnerable.

Attacker possessing a client certificate with the corresponding secret key will be able to impersonate other servers, posing as a man-in-the-middle, while being able to eavesdrop on and modify plaintext messages at will.

Research paper with flaw details:

https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf

External References:

https://kcitls.org/

Comment 1 Adam Mariš 2015-08-11 13:52:55 UTC

Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1252472]

Comment 2 Tomas Hoger 2016-09-22 10:34:59 UTC

Linked paper includes the following info about OpenSSL:

  The currently most commonly used branches of the OpenSSL library (branches
  0.9.8, 1.0.0, and 1.0.1) do not support the necessary TLS options (so
  systems such as Google Android seem to be safe at this time). However, the
  source code of the OpenSSL library contains ‘TODO’s in the source code for
  implementing support for fixed ECDH handshakes. Not much code is missing
  for fixed ECDH support in OpenSSL (we added basic support with only a few
  lines of code for our MitM setup). After engaging the OpenSSL developer
  team during the responsible disclosure process, we found that the newest
  branch (branch 1.0.2) just recently added support for static DH, but not
  (yet) for fixed ECDH handshakes. That means, client that use the 1.0.2
  branch of OpenSSL might as well be vulnerable to our attack.

This is apparently referring to:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=0ffa49970b9f8ea66b43ce2eb7f8fd523b65bc2c
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=c523eb98d1694afd5d73cb5fe3b521c6064c130f

Comment 4 Tomas Hoger 2016-09-22 13:45:27 UTC

OpenSSL 1.0.1u, 1.0.2i, and 1.1.0a address KCI issue for GOST cipher suites:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=ab650f07a0dabc01a4410f8f702c3cea7932da62

GOST support is not enabled in OpenSSL packages in Red Hat Enterprise Linux.

Comment 5 Product Security DevOps Team 2019-06-08 02:43:03 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.