In his upcoming Blackhat paper and presentation Dan Kaminsky highlights some more issues he has found relating to SSL hash collisions and related vulnerabilities. The first issue is the discovery that a widely-trusted Certificate Authority root certificate is self-signed using a MD2 hash. If an attacker can mint a fake intermediate certificate which has the same MD2 hash then they could use this on a malicious site (or during a man-in-the-middle attack) to present a fake SSL certificate that would be accepted as if it was authentic. It turns out that there are not many valid MD2 hash certificates around any more, and the main one that exists is at the trusted root level anyway (and there is actually no need for a crypto library to verify the self-signature on a trusted root). So most vendors have chosen to address this issue by disabling MD2 completely for certificate verification. There is no immediate panic to address this issue as in order for it to be exploited the attacker would need to create the MD2 collision with the root certificate, something that is as of today a significant amount of effort (even with a highly distributed effort it's a bit outside what is feasible). So for upstream OpenSSL we have disabled MD2 support completely. This was done in two stages; the first was a patch in June 2009 (http://marc.info/?l=openssl-cvs&m=124508133203041&w=2) that removed the check of a trusted root self-signed certificate. Then MD2 was disabled in July, (http://cvs.openssl.org/chngview?cn=18381). Although there have not yet been any upstream releases containing these fixes, future OpenSSL 0.9.8 (after 0.9.8k), and OpenSSL 1.0.0 releases will contain this fix. The GnuTLS library has for some time meant to have disabled MD2 support, although due to a broken patch it wasn't actually disabled correctly until the start of 2009. So this is addressed in GnuTLS versions 2.6.4 and above, and 2.7.4 and above. (http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00011.html) The NSS library since version 3.12.3 (April 2009) has disabled MD2 by default (although legacy applications can turn it back on using an environment variable "NSS_ALLOW_WEAK_SIGNATURE_ALG" if they need to). Mozilla Firefox since version 3.5 has used this NSS version and therefore MD2 is disabled (https://bugzilla.mozilla.org/show_bug.cgi?id=471539#c58)
GnuTLS notes: Since 2.6.4 and 2.7.4 MD2 hasn't been allowed by default in a chain. It actually was implemented earlier, but the code was broken, so when backporting it'll need several patches. They also disabled MD5, but if we backport this we do not want to disable MD5 since it will definately break existing things http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00011.html * Version 2.7.4 (released 2009-01-07) also * Version 2.6.4 (released 2009-02-06) ** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures. This is a bugfix -- the previous attempt to do this from internal x509 certificate verification procedures did not return the correct value for certificates using a weak hash. Reported by Daniel Kahn Gillmor <dkg> in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>, debugged and patch by Tomas Mraz <tmraz> and Daniel Kahn Gillmor <dkg>. 2009-01-06 Daniel Kahn Gillmor <dkg> * lib/x509/verify.c: actually deprecate MD5 and MD2 signatures during X.509 verification by treating them as invalid unless the GNUTLS_VERIFY_ALLOW_SIGN_RSA_{MD5,MD2} flags are present. * Version 2.7.3 (released 2008-12-10) also * Version 2.6.1 (released 2008-11-10) additionally with 2.6.2 ** libgnutls: Fix chain verification for chains that ends with RSA-MD2 CAs. Reported by Michael Kiefer <Michael-Kiefer> in <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507633> forwarded by Andreas Metzler <ametzler.eu.org> in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3309>. ** libgnutls: deprecate X.509 validation chains using MD5 and MD2 signatures. This is a bugfix -- the previous attempt to do this from internal x509 certificate verification procedures did not return the correct value for certificates using a weak hash. Reported by Daniel Kahn Gillmor <dkg> in <http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>, debugged and patch by Tomas Mraz <tmraz> and Daniel Kahn Gillmor <dkg>.
In Red Hat Enterprise Linux, Firefox (and related packages) use the system version of NSS. Therefore as the NSS library is updated to remove MD2 this will cascade into Firefox and related applications.
NSS was rebased today by errata RHBA-2009:1161 for Red Hat Enterprise Linux 5 to address other issues. This therefore disables MD2 in Firefox and related packages.
This issue was presented by Dan Kaminsky last night at Blackhat. Removing embargo.
This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:1184 https://rhn.redhat.com/errata/RHSA-2009-1184.html
This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1186 https://rhn.redhat.com/errata/RHSA-2009-1186.html
This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2009:1190 https://rhn.redhat.com/errata/RHSA-2009-1190.html
This issue has been addressed in nss packages in following products: Red Hat Enterprise Linux 5.2 Z Stream Via RHSA-2009:1207 https://rhn.redhat.com/errata/RHSA-2009-1207.html
This issue has been addressed in seamonkey-nss packages in following products: Red Hat Enterprise Linux 3 Via RHSA-2009:1432 https://rhn.redhat.com/errata/RHSA-2009-1432.html
This issue has been addressed in java-1.6.0-sun packages in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1560 https://rhn.redhat.com/errata/RHSA-2009-1560.html
This issue has been addressed in java-1.5.0-sun packages in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2009:1571 https://rhn.redhat.com/errata/RHSA-2009-1571.html
java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-33.b16.fc12
java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-23.b16.fc10
java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/java-1.6.0-openjdk-1.6.0.0-30.b16.fc11
java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in java-1.6.0-openjdk packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1584 https://rhn.redhat.com/errata/RHSA-2009-1584.html
This issue has been addressed in java-1.5.0-sun packages in following products: Red Hat Network Satellite Server v 5.1 Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html
This issue has been addressed in openssl packages in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0054 https://rhn.redhat.com/errata/RHSA-2010-0054.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0163 https://rhn.redhat.com/errata/RHSA-2010-0163.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0166 https://rhn.redhat.com/errata/RHSA-2010-0166.html