OpenPKG Security Advisory
OpenPKG-SA-2003.013
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2003.013 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2003.013 Advisory Published: 2009-07-04 22:11 UTC Issue Id (internal): OpenPKG-SI-20030219.02 Issue First Created: 2003-02-19 Issue Last Modified: 2006-11-28 Issue Revision: 05
Subject Name: OpenSSL Subject Summary: Cryptography and SSL/TLS Toolkit Subject Home: http://www.openssl.org/ Subject Versions: * <= 0.9.7 Vulnerability Id: CVE-2003-0078 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: Attack Impact: identity fraud, exposure of sensitive information Description: In an upcoming CRYPTO 2003 paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on SSL/TLS with CBC ciphersuites. According to an OpenSSL security advisory [0], the OpenSSL implementation is vulnerable to this attack. The attack assumes that multiple SSL/TLS connections involve a common fixed plaintext block, such as a password. An active attacker can substitute specifically made-up ciphertext blocks for blocks sent by legitimate SSL/TLS parties and measure the time until a response arrives. SSL/TLS includes data authentication to ensure that such modified ciphertext blocks will be rejected by the peer (and the connection aborted), but the attacker may be able to use timing observations to distinguish between two different error cases, namely block cipher padding errors and MAC verification errors. This is sufficient for an adaptive attack that finally can obtain the complete plaintext block. Although this cannot be easily exploited, because the attack requires the ability to be a man-in-the-middle, repeated communications that have a common plaintext block, decoding failures not signaling problems on the client and server side, and a network between the attacker and the server sufficient enough to reasonably observe timing differences. OpenSSL version since 0.9.6c supposedly treat block cipher padding errors like MAC verification errors during record decryption [1], but MAC verification was still skipped after detection of a padding error, which allowed the timing attack. References: [0] http://www.openssl.org/news/secadv_20030219.txt [1] http://www.openssl.org/~bodo/tls-cbc.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0078 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/openssl-0.9.6g-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature
Primary Package Name: openssl Primary Package Home: http://openpkg.org/go/package/openssl Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 1.1-SOLID openssl-0.9.6g-1.1.0 OpenPKG Community 1.2-SOLID openssl-0.9.7-1.2.0 OpenPKG Community CURRENT openssl-0.9.7-20030111 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 1.1-SOLID openssl-0.9.6g-1.1.1 OpenPKG Community 1.2-SOLID openssl-0.9.7-1.2.1 OpenPKG Community CURRENT openssl-0.9.7a-20030219
