The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v). References: https://www.openssl.org/news/secadv/20200909.txt https://raccoon-attack.com/
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1877459] Created openssl11 tracking bugs for this issue: Affects: epel-7 [bug 1877461]
Mitigation: In OpenSSL 1.0.2e and below, this flaw can be mitigated by not enabling any ciphersuites with Diffie Hellman (DH), excluding ciphersuites using Elliptic Curve Diffie Hellman (ECDH). In OpenSSL 1.0.2f and above, this flaw can be mitigated by not enabling static DH ciphersuites. Such ciphersuites start with `DH-` in OpenSSL and are mapped to IANA names that start with `TLS_DH_`, excluding ciphersuites that start with `TLS_DH_anon`. Following this convention, we see that `DH-RSA-AES256-GCM-SHA384` with IANA name `TLS_DH_RSA_WITH_AES_256_GCM_SHA384` is affected and should not be used in a mitigation of this flaw. However, `ECDH-RSA-AES128-GCM-SHA256` with IANA name `TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256` is not affected and may be used in a mitigation to this flaw, as it does not follow the `DH-` or `TLS_DH_` naming convention.
Flaw summary: This flaw affects communications with servers that use OpenSSL to support ciphersuites using Diffie-Hellman (DH) and Diffie-Hellman Ephemeral (DHE) key exchanges, when they reuse keys. This can occur with ciphersuites using static DH or DHE where the ephemeral key is reused. The flaw occurs due to a TLS specification clause that applies to TLS 1.2 and lower, requiring that the negotiated DH key, which is to be used as the pre-master secret, be stripped of leading 0 bits[1]. This stripping can result in an information leak (namely, the high-order bits of the pre-master secret) when the server subject to a side-channel attack, and potentially allow a highly skilled, determined, and resourced attacker to gain the pre-master key and compromise confidentiality of data. The flaw has not been demonstrated for Elliptic Curve Diffie-Hellman ciphersuites (ECDH) as used in OpenSSL because leading zeroes are required to be left intact[2]. The attack complexity is extremely high and due to the low likelihood of a successful attack combined with the requirement for a victim to have a relatively rare server configuration, this flaw has been rated as Low Impact. OpenSSL 1.0.2w+ has moved the affected ciphersuites into the weak-ssl-ciphers list, which is not compiled into OpenSSL by default. This decision was made because the root issue exists in the TLS specification and is not a particular code flaw. 1. https://tools.ietf.org/html/rfc5246#section-8.1.2 2. https://tools.ietf.org/html/rfc4492#section-5.10
External References: Thorough Explanation can be found: https://raccoon-attack.com/RacoonAttack.pdf Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E) by Robert Merget, Marcus Brinkmann, et al.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Application Platform 5 * Red Hat JBoss Enterprise Application Platform 6 * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: openssl 1.1.0i as bundled in the ovmf package shipped with Red Hat Enterprise Linux 7 supplementary rpms is not affected by this flaw. openssl 1.1.1 as shipped in Red Hat Enterprise Linux 8 is also not affected. Red Hat Advanced Cluster Management for Kubernetes does not use the vulnerable cipher suites, so it is not impacted by this flaw.