Bug 1877458 (CVE-2020-1968) - CVE-2020-1968 openssl: Information exposure when DH secret are reused across multiple TLS connections
Summary: CVE-2020-1968 openssl: Information exposure when DH secret are reused across ...
Keywords:
Status: NEW
Alias: CVE-2020-1968
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1877607 1877620 1877868 1877869 1877870 1877871 1877872 1877459 1877461 1877617 1877618 1877619 1877621
Blocks: 1877460
TreeView+ depends on / blocked
 
Reported: 2020-09-09 16:44 UTC by Pedro Sampaio
Modified: 2020-09-11 08:04 UTC (History)
52 users (show)

Fixed In Version: openssl 1.0.2w
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openssl in versions 1.0.2 to 1.0.2w. A Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2020-09-09 16:44:01 UTC
The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

References:

https://www.openssl.org/news/secadv/20200909.txt
https://raccoon-attack.com/

Comment 1 Pedro Sampaio 2020-09-09 16:44:51 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1877459]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 1877461]

Comment 2 Todd Cullum 2020-09-09 23:48:59 UTC
Mitigation:

In OpenSSL 1.0.2e and below, this flaw can be mitigated by not enabling any ciphersuites with Diffie Hellman (DH), excluding ciphersuites using Elliptic Curve Diffie Hellman (ECDH).

In OpenSSL 1.0.2f and above, this flaw can be mitigated by not enabling static DH ciphersuites. Such ciphersuites start with `DH-` in OpenSSL and are mapped to IANA names that start with `TLS_DH_`, excluding ciphersuites that start with `TLS_DH_anon`. Following this convention, we see that `DH-RSA-AES256-GCM-SHA384` with IANA name `TLS_DH_RSA_WITH_AES_256_GCM_SHA384` is affected and should not be used in a mitigation of this flaw. However, `ECDH-RSA-AES128-GCM-SHA256`  with IANA name `TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256` is not affected and may be used in a mitigation to this flaw, as it does not follow the `DH-` or `TLS_DH_` naming convention.

Comment 4 Todd Cullum 2020-09-10 02:12:54 UTC
Flaw summary:

This flaw affects communications with servers that use OpenSSL to support ciphersuites using Diffie-Hellman (DH) and Diffie-Hellman Ephemeral (DHE) key exchanges, when they reuse keys. This can occur with ciphersuites using static DH or DHE where the ephemeral key is reused. The flaw occurs due to a TLS specification clause that applies to TLS 1.2 and lower, requiring that the negotiated DH key, which is to be used as the pre-master secret, be stripped of leading 0 bits[1]. This stripping can result in an information leak (namely, the high-order bits of the pre-master secret) when the server subject to a side-channel attack, and potentially allow a highly skilled, determined, and resourced attacker to gain the pre-master key and compromise confidentiality of data. The flaw has not been demonstrated for Elliptic Curve Diffie-Hellman ciphersuites (ECDH) as used in OpenSSL because leading zeroes are required to be left intact[2].

The attack complexity is extremely high and due to the low likelihood of a successful attack combined with the requirement for a victim to have a relatively rare server configuration, this flaw has been rated as Low Impact.

OpenSSL 1.0.2w+ has moved the affected ciphersuites into the weak-ssl-ciphers list, which is not compiled into OpenSSL by default. This decision was made because the root issue exists in the TLS specification and is not a particular code flaw.

1. https://tools.ietf.org/html/rfc5246#section-8.1.2
2. https://tools.ietf.org/html/rfc4492#section-5.10

Comment 6 Todd Cullum 2020-09-10 02:20:58 UTC
External References:

Thorough Explanation can be found: https://raccoon-attack.com/RacoonAttack.pdf
Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E) by Robert Merget, Marcus Brinkmann, et al.

Comment 8 Ted (Jong Seok) Won 2020-09-10 10:50:50 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Enterprise Application Platform 5
 * Red Hat JBoss Enterprise Application Platform 6
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 10 Todd Cullum 2020-09-10 15:28:57 UTC
Statement:

openssl 1.1.0i as bundled in the ovmf package shipped with Red Hat Enterprise Linux 7 supplementary rpms is not affected by this flaw. openssl 1.1.1 as shipped in Red Hat Enterprise Linux 8 is also not affected.


Note You need to log in before you can comment on or make changes to this bug.