SSL 3.0 and TLS 1.0 allow chosen plaintext attack in CBC modes

Overview

A vulnerability in the specification of the SSL 3.0 and TLS 1.0 protocols could allow an attacker to decrypt encrypted traffic.

Description

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network application protocols such as HTTP, IMAP, POP3, LDAP, SMTP, and others. Several different versions of the SSL and TLS protocols have been standardized and are in widespread use. These protocols support the use of both block-based and stream-based ciphers.

A vulnerability in the way the SSL 3.0 and TLS 1.0 protocols select the initialization vector (IV) when operating in cipher-block chaining (CBC) modes allows an attacker to perform a chosen-plaintext attack on encrypted traffic. This vulnerability has been addressed in the specification for the TLS 1.1 and TLS 1.2 protocols.

While this vulnerability exists in the underlying specification of the affected protocols, a practical attack called BEAST has been demonstrated in the context of a web browser and the use of the HTTPS protocol. Because of the software functionality available to an attacker in this environment, it represents the most likely attack vector and the most significant risk for affected users. An effective BEAST attack appears to require a cross-domain vulnerability that allows the attacker to issue specially crafted HTTPS requests. A blog post by Thái Duong discusses “…a way to bypass the same-origin policy (SOP)…” using a Java applet.

---

Impact

An attacker with the ability to pose as a man-in-the-middle and to generate specially-crafted plaintext input could decrypt the contents of an SSL- or TLS-encrypted session. This could allow the attacker to recover potentially sensitive information (e.g., HTTP authentication cookies).

---

Solution

We are currently unaware of a practical solution to this problem.

---

Workarounds

Some vendors have published specific mitigation advice for the attacks related to this issues. Please see the Vendor Information section of this document for more information.

The following general workarounds can be effective in mitigating this issue:

* Prioritize the use of the RC4 algorithm over block ciphers in server software

Note that this workaround is not feasible to implement on systems that require FIPS-140 compliance since RC4 is not a FIPS-approved cryptographic algorithm.

* Enable support for TLS 1.1 and/or TLS 1.2 in the web browser
* Enable support for TLS 1.1 in server software

Note that both the web servers and the client web browser must support TLS 1.1 or TLS 1.2 for these workarounds to be effective. The session will fallback to an earlier version of the TLS or SSL protocol in the event that either is incompatible with TLS 1.1 or TLS 1.2.

Vendor Information

864643

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Google Affected

Updated: September 27, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://src.chromium.org/viewvc/chrome?view=rev&revision=97269

Microsoft Corporation Affected

Updated: September 27, 2011

Statement Date: September 26, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://technet.microsoft.com/en-us/security/advisory/2588513&gt;
• <http://support.microsoft.com/kb/2588513&gt;

Mozilla Affected

Updated: September 28, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://bugzilla.mozilla.org/show_bug.cgi?id=665814&gt;
• <http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/&gt;

Opera Affected

Updated: December 08, 2011

Statement Date: December 06, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.opera.com/docs/changelogs/windows/1160/&gt;
• <http://www.opera.com/docs/changelogs/mac/1160/&gt;
• <http://www.opera.com/docs/changelogs/unix/1160/&gt;

Apple Inc. Unknown

Updated: September 27, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuTLS Unknown

Updated: September 27, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenSSL Unknown

Updated: September 27, 2011

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

• <http://www.openssl.org/~bodo/tls-cbc.txt&gt;
• <http://www.imperialviolet.org/2011/09/23/chromeandbeast.html&gt;
• <http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php&gt;
• <http://vnhacker.blogspot.com/2011/09/beast.html&gt;
• <https://blog.torproject.org/blog/tor-and-beast-ssl-attack&gt;
• <http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx&gt;
• <http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx&gt;
• http://src.chromium.org/viewvc/chrome?view=rev&revision=97269
• <https://bugzilla.mozilla.org/show_bug.cgi?id=665814&gt;
• <http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html&gt;
• <http://www.ekoparty.org/2011/juliano-rizzo.php&gt;

Acknowledgements

Thanks to Thái Duong working with Matasano and Juliano Rizzo of Netifera for reporting the practical attack against this vulnerability. Wei Dai and Bodo Möller identified the underlying flaw in the context of SSL and TLS.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2011-3389
Severity Metric:	3.38 Date Public: