-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0005 Title: Background information about the recent "BEAST attack on SSL / TLS" Version history: 27.09.2011 Initial publication 27.09.2011 Link to Microsoft Security Advisory (2588513) added 12.01.2012 Link to Microsoft Bulletin and patch notification added[9] Summary ======= Two security researchers demonstrated[1] an attack against encrypted SSL and TLS "cookies", which sometimes store credentials (for example, Google or Facebook) to keep a user logged in. The attack received a lot of media attention. This advisory aims at explaining what a potential attacker would need to do for a successful attack, and what can/must be done to mitigate it. Potential impact ================ The attack allows an attacker to decrypt parts of the cookie that identify the user and, as a consequence, gain access to restricted accounts (Paypal was used as an example). The attack was carried out by a tool called BEAST, which is, at the time of this writing, not publicly available. Quick background of the vulnerability ===================================== The flaw used in the proof of concept has been known for almost 10 years[3] and was described in detail by two papers from Gregory V. Bard [4]. It affects SSL 2.0, SSL 3.0 and TLS 1.0 ciphers that use the Cipher Block Chaining (CBC) mode, including popular ones like AES and Triple-DES encryption methods. This vulnerability was already addressed in 2006 in TLS 1.1[5], but libraries in most popular products still use the 1.0 version of the protocol for compatibility reasons. Some web browsers even still support the 12-year-old SSL 3.0 specification in addition to TLS, which is also vulnerable. Note SSL 2.0 is as well vulnerable but this version should not be used anymore and therefore should already be disabled in your environment. Mitigating factors ================== * the attacker needs to be in the same (physical) network, which make public WLANs more susceptible for attacks, * the attacker needs to become a "man-in-the-middle"[2] to intercept the victim's connection to the server and communicate with it in the victim's Context, * both browser of the vicitm and server must use TLS in versions below 1.1 What can you do? ================ The attack is not theoretical any more, however it needs a sophisticated attacker in a (high-bandwidth) man-in-the-middle position to carry out the attack. As much as possible, make your users aware of the dangers (see below) and deploy web browsers in your institutions that support at least TLS 1.1. If you run web-based services in your institution that makes use of SSL/TLS and you are not able to upgrade the system(s), some security researcher recommend (as a workaround) to switch to a non-CBC based cipher like RC4 as preferred cipher and ensure that the server's preference is honoured instead of client's one[6]. Urge (if appropriate) the suppliers of web-based services to upgrade their servers to TLS 1.1 or TLS 1.2. For an overview of which product uses what library version, please refer to[7]. Microsoft issued a security advisory, including more information on workaround and mitigation for their products.[8] NEW In the patch round of January 2012 Microsoft published a patch the should remove the vulnerability in MS products.[9] What to tell your users? ======================== Normal security good practices apply. Especially tell your users not to use restricted accounts (like eBanking sites, shopping sites, etc.) in public networks or (if possible) in networks to which other (unknown) users may connect. More information ================ [1] http://www.ekoparty.org/2011/juliano-rizzo.php [2] Wikipedia background article http://en.wikipedia.org/wiki/Man-in-the-middle_attack [3] First posing on openssl-dev http://www.mail-archive.com/openssl-dev@openssl.org/msg10664.html [4] Papers by Gregory V. Bard http://eprint.iacr.org/2004/111.pdf http://eprint.iacr.org/2006/136.pdf [5] RFC4346 TLS 1.1 http://tools.ietf.org/html/rfc4346 [6] Slaying the BEAST: Mitigating ... http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php [7] SSL/TLS Hardening and compatibility report 2011 http://blog.g-sec.lu/2011/09/ssltls-hardening-and-compatibility.html [8] Microsoft Security Advisory (2588513) https://technet.microsoft.com/en-us/security/advisory/2588513 [9] Microsoft Security Bulletin Summary for January 2012 http://technet.microsoft.com/en-us/security/bulletin/ms12-jan -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPDquFOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NLVQ//Xvz3xiPv VlEG2FqfiFWLXgWddAMlVJPnEND6flr0QrEcy7IovkDrThyu26RiZ235WwrJXGvb x+5n3z/FZ2uXKGAvtcS7H4jvPCq2FUc7J66dAbbxa5hYA4CWV0u6MSvwFvSZyrU+ LzJAfeYuQ2WqedfdMSz7WcMaytBSu2n2vpv2urWcXGvq9IR2HktiFoTLX4w4zhHC CZdP4GFxGT5dnyyOxISlqa71qw6a4wcue2W26+zD2gRPdzU7gVLYCyRywalRZBd7 6s3K5LtT4kBTqfHF4MPVsSODmX4pdP1doTn9rCc4MeYSA/vJ4J1GUX5ZJ43yHnKo j145bRqOSDL1a0Es7fJu+d3mRI35Y5+FGmeYKiBJzjAdrHDRA9tjAlzWdoqL/QJb SZPvu48mSdHfMuRidyK5FdlfXgAn4op7qvNvQW7Y5JfT6VZnFVZVB8PX4VOGFv32 LstpEjPVIRIWChF3O6VxbVeJmHdaWJt3FvM0KFdKSeDYOq4u41MM8FW4QjaMtwOE oyodh2VNO++pooUsr1RGcYoBsl+Pt8XXZ9sfR94f8/UTEwr8VJWae4xJJ1EZWEW7 MYPOColIeo0om1sjY00BWo6s1o9dRREUlXVrspqV3krNug7ZqZHdUXQ/GcqpHX3r W5kztcEczjAhX51KGvu7NTlODdOsLBCZpts= =az0c -----END PGP SIGNATURE-----