SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

Overview

Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. An attacker able to act as a Man-in-The-Middle (MiTM) could factor weak temporary RSA keys, obtain session keys, and decrypt SSL/TLS trafflc. This issue has been dubbed the “FREAK” (Factoring Attack on RSA-EXPORT Keys) attack.

Description

CWE-757: Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)

CWE-326: Inadequate Encryption Strength

Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. This can occur when a MiTM attacker asks for export grade ciphers on behalf of a client, and the client insecurely accepts the export grade key. The attacker can then factor the weak RSA key and use this key to decrypt other data necessary to generate the session key. The attacker can then decrypt data in the session.

The researchers provide a more detailed explanation on their website.

---

Impact

The weak 512-bit “export grade” RSA keys can be factored to allow an attacker to decrypt information encrypted with these keys.

---

Solution

Update SSL/TLS libraries and applications

Vendors are currently working on patches to address this issue. Affected users are advised to check with the software vendor and update as soon as possible. The Vendor Status information below provides more information for each vendor.

Do not offer export grade ciphers

Configure server and client applications not to use export grade ciphers (EC).

---

Vendor Information

243585

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple __ Affected

Notified: March 06, 2015 Updated: March 06, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

SecureTransport is affected.

Safari web browser is affected.

Google __ Affected

Notified: March 06, 2015 Updated: March 06, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

BoringSSL versions before Nov 10, 2014 are vulnerable.

Google Chrome web browser prior to version 41 on various platforms are vulnerable.
Android Web Browser is vulnerable.

Microsoft Corporation __ Affected

Notified: March 06, 2015 Updated: March 10, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

SChannel is vulnerable. Internet Explorer is also vulnerable.

A patch has been released. Please see the Microsoft Security Bulletin below.

Vendor References

• <https://technet.microsoft.com/library/security/MS15-031&gt;
• <https://technet.microsoft.com/library/security/3046015.aspx&gt;

NEC Corporation __ Affected

Updated: October 26, 2015

Status

Affected

Vendor Statement

We provide information on this issue at the following URL <<http://jpn.nec.com/security-info/secinfo/nv15-016.html&gt;&gt;(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://jpn.nec.com/security-info/secinfo/nv15-016.html&gt;

OpenSSL __ Affected

Notified: March 06, 2015 Updated: March 06, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

OpenSSL versions before 1.0.1k are vulnerable. The vulnerability in OpenSSL is tracked as CVE-2015-0204.

Opera __ Affected

Updated: March 06, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Opera web browsers before Opera 28 on OSX and Android are vulnerable.

Research in Motion (RIM) __ Affected

Updated: March 06, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Blackberry Browser web browser is vulnerable.

Botan Not Affected

Notified: March 06, 2015 Updated: March 06, 2015

Statement Date: March 06, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cryptlib Not Affected

Notified: March 06, 2015 Updated: March 09, 2015

Statement Date: March 08, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuTLS Not Affected

Notified: March 06, 2015 Updated: March 06, 2015

Statement Date: March 06, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IAIK Java Group Not Affected

Notified: March 06, 2015 Updated: March 17, 2015

Statement Date: March 17, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Legion of the Bouncy Castle Not Affected

Notified: March 06, 2015 Updated: March 09, 2015

Statement Date: March 09, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apache-SSL Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Attachmate Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Certicom Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Crypto++ Library Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nettle Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PeerSec Networks Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Spyrus Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

libgcrypt Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

mod_ssl Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

wolfSSL Unknown

Notified: March 06, 2015 Updated: March 05, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 25 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	7.8	AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal	6.4	E:F/RL:OF/RC:C
Environmental	6.4	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• <http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html&gt;
• <https://www.smacktls.com/#freak&gt;
• <http://cwe.mitre.org/data/definitions/757.html&gt;
• <http://cwe.mitre.org/data/definitions/326.html&gt;
• <https://tools.ietf.org/html/rfc4346#appendix-F.1.1.2&gt;

Acknowledgements

This vulnerability was reported by researchers from INRIA, Microsoft Research, and IMDEA.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	None
Date Public:	2015-03-06 Date First Published: