Bug 1252470 - KCI attacks against TLS
KCI attacks against TLS
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150810,reported=2...
: Security
Depends On: 1252472
Blocks: 1377709
  Show dependency treegraph
 
Reported: 2015-08-11 09:52 EDT by Adam Mariš
Modified: 2016-09-22 09:45 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-08-11 09:52:13 EDT
The conference paper linked below introduces a novel KCI attack against several TLS libraries.

All TLS implementations supporting non-ephemeral (Elliptic Curve) Diffie-Hellman key exchange with fixed (Elliptic Curve) Diffie-Hellman client authentication are vulnerable to this attack, including OpenSSL v1.0.2. No other versions of OpenSSL are vulnerable.

Attacker possessing a client certificate with the corresponding secret key will be able to impersonate other servers, posing as a man-in-the-middle, while being able to eavesdrop on and modify plaintext messages at will.

Research paper with flaw details:

https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf

External References:

https://kcitls.org/
Comment 1 Adam Mariš 2015-08-11 09:52:55 EDT
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1252472]
Comment 2 Tomas Hoger 2016-09-22 06:34:59 EDT
Linked paper includes the following info about OpenSSL:

  The currently most commonly used branches of the OpenSSL library (branches
  0.9.8, 1.0.0, and 1.0.1) do not support the necessary TLS options (so
  systems such as Google Android seem to be safe at this time). However, the
  source code of the OpenSSL library contains ‘TODO’s in the source code for
  implementing support for fixed ECDH handshakes. Not much code is missing
  for fixed ECDH support in OpenSSL (we added basic support with only a few
  lines of code for our MitM setup). After engaging the OpenSSL developer
  team during the responsible disclosure process, we found that the newest
  branch (branch 1.0.2) just recently added support for static DH, but not
  (yet) for fixed ECDH handshakes. That means, client that use the 1.0.2
  branch of OpenSSL might as well be vulnerable to our attack.

This is apparently referring to:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=0ffa49970b9f8ea66b43ce2eb7f8fd523b65bc2c
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=c523eb98d1694afd5d73cb5fe3b521c6064c130f
Comment 4 Tomas Hoger 2016-09-22 09:45:27 EDT
OpenSSL 1.0.1u, 1.0.2i, and 1.1.0a address KCI issue for GOST cipher suites:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=ab650f07a0dabc01a4410f8f702c3cea7932da62

GOST support is not enabled in OpenSSL packages in Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.