Red Hat Bugzilla – Bug 1252470
KCI attacks against TLS
Last modified: 2016-09-22 09:45:27 EDT
The conference paper linked below introduces a novel KCI attack against several TLS libraries.
All TLS implementations supporting non-ephemeral (Elliptic Curve) Diffie-Hellman key exchange with fixed (Elliptic Curve) Diffie-Hellman client authentication are vulnerable to this attack, including OpenSSL v1.0.2. No other versions of OpenSSL are vulnerable.
Attacker possessing a client certificate with the corresponding secret key will be able to impersonate other servers, posing as a man-in-the-middle, while being able to eavesdrop on and modify plaintext messages at will.
Research paper with flaw details:
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1252472]
Linked paper includes the following info about OpenSSL:
The currently most commonly used branches of the OpenSSL library (branches
0.9.8, 1.0.0, and 1.0.1) do not support the necessary TLS options (so
systems such as Google Android seem to be safe at this time). However, the
source code of the OpenSSL library contains ‘TODO’s in the source code for
implementing support for fixed ECDH handshakes. Not much code is missing
for fixed ECDH support in OpenSSL (we added basic support with only a few
lines of code for our MitM setup). After engaging the OpenSSL developer
team during the responsible disclosure process, we found that the newest
branch (branch 1.0.2) just recently added support for static DH, but not
(yet) for fixed ECDH handshakes. That means, client that use the 1.0.2
branch of OpenSSL might as well be vulnerable to our attack.
This is apparently referring to:
OpenSSL 1.0.1u, 1.0.2i, and 1.1.0a address KCI issue for GOST cipher suites:
GOST support is not enabled in OpenSSL packages in Red Hat Enterprise Linux.