CCS Injection Vulnerability

Overview

OpenSSL’s ChangeCipherSpec processing has a serious vulnerability.
This vulnerability allows malicious intermediate nodes to intercept
encrypted data and decrypt them while forcing SSL clients to use weak
keys which are exposed to the malicious nodes. Because both of servers
and clients are affected by this vulnerabitlity, every OpenSSL user
should update their software immediately. This vulnerabitlity has
enough reproducibility and it is very likely for attackers to utilize
this vulnerabitlity for target attacks.

Countermeasures

You can apply software updates from each software vendors.
Refer to the URLs below.

Problem

We discovered that OpenSSL’s flaw with ChangeCipherSpec processings
make it possible for malicious third parties to intermediate specific
communication. Through this bug, attackers are able to enforce OpenSSL
servers and clients to use weak key materials. There are risks of
tampering with and exploits on contents and authentication information
over encrypted communication via web browsing, E-mail and VPN, when
the software uses the affected version of OpenSSL.

Q. How does the vulnerability work?

Attackers can predict temporal encryption key materials of any
communication by sending invalid signals in the handshake sessions.
If attackers grasp the key materials, they can eavesdrop the encrypted
communication or steal your identity.

Q. What versions of OpenSSL are affected?

A. Affected Versions:

  • OpenSSL 1.0.1 through 1.0.1g
  • OpenSSL 1.0.0 through 1.0.0l
  • all versions before OpenSSL 0.9.8y

Not Affected Versions:

  • OpenSSL 1.0.1h
  • OpenSSL 1.0.0m
  • OpenSSL 0.9.8za

The latest OpenSSL update includes seven bug fixes. We found one of the
bugs(CVE-2014-0224).

Q. What are the risks?

A. Attackers can eavesdrop and make falsifications on your communication
when both of a server and a client are vulnerable,
and the OpenSSL version of the server is 1.0.1 or higher.

Attackers can hijack the authenticated session,
if the server is vulnerable (even if the client is not vulnerable).

(According to the analysys from Adam Langley and IIJ, If users are
using client certificates, the sessions to the servers will be
disconnected just after attackers attempt to hijack.)

Victims cannot find any trace of the attacks. If you assume the
communication is safe and send password or credit card numbers via
encrypted sessions, you are at the risk of identity theft. In the case
attackers make the falsification on the contents of communication,
attackers may use your identify information to remit money from your
account illegally.

Q. How can I prevent the attacks?

A. If you use Android or Linux, apply the vendor updates because
Android and Linux uses OpenSSL. If you are using Windows, Mac or
iPhone, there are no risks regarding to this vulnerability.

Through this bug, attackers pretend to be intermediate nodes between
victims and servers, and eavesdrop and make falsifications on your
communication. This kind of attacks are called “Man in the
Middle(MITM)” attacks. Under the public WiFi networks, it is very
likely to be attacked through MITM. When you use Internet banking or
Electronic commerce systems, you should avoid connecting to public
WiFi networks and connect your device to cellular networks such as 3G
or LTE networks.

Q. Do I have to re-create my private keys or certificates?

A. No. Attackers cannot steal your private keys through this bug itself.
However if you have transferred your private keys via paths protected by SSL/TLS,
the keys could be sniffed.
If this is the case, consider regenerating the keys or certificates.

Q. Is CCS injection because of an SSL/TLS specification defect?

A. No. It is OpenSSL implementation problem.

Q. What protocol versions are affected?

A. All versions (SSL3.0, TLS1.0, TLS1.1, TLS1.2) are affected.

Q. What encryption algorithms are affected?

A. All encryption algorithms are affected.

Q. Can I detect if someone has exploited this against me?

A. Exploitation of this bug do not leave any traces.

Q. Can IDS/IPS detect this attack?

A. Configuring your IDS/IPS to detect invalid order of messages enables your IDS/IPS to detect the attacks.

Q. How did you find this bug?

A. This bug was discovered by Masashi Kikuchi of Lepidum.
He found this bug while studying safe TLS implementations using a proof assistant system Coq.

Q. How do you report this vulnerability?

A. After we found the vulnerability, we reported it to JPCERT and
CERT/CC. Then JPCERT announced a security alert to the related
partners through the vulnerability handling system. JPCERT and CERT/CC
notified the bug to the OpenSSL developers. Based on the contacts from
the OpenSSL developer team, we supported to develop the bug fix patch.

References

You can use CCS Injection logo under the terms of CC0. download logo in SVG format

Change History

  • Updated: (Mon, 09 Jun 2014 12:00:00 +0900):
    • Added examples of the risks.
    • Authentication hijack scenario was denied.
  • First Virsion: (Thu, 06 Jun 2014 20:44:00 +0900)

Leave a Reply

Your email address will not be published. Required fields are marked *