CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
71.3%
By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream.
Angelo Prado of Salesforce.com reports:
Extending the CRIME vulnerability presented at Ekoparty 2012, an attacker can target HTTPS responses to recover data from the response body.
While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size.
This relies on the attacker being able to observe the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site. To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. For each guess the attacker coerces the victim’s browser to issue two requests. The first request includes a payload of the form:
_“target_secret_name=<already known part of secret>+<guess>+<padding>” _
_…while the second request includes a payload of the form: _
_“target_secret_name=<already known part of secret>+<padding>+<guess>”. _
_If the size of the first response is smaller than the second response, this indicates that the guess has a good chance of being correct. This method of sending two similar requests and comparing them is due to Duong and Rizzo. If multiple candidates are found, the following is a useful recovery mechanism: move forward in parallel with both candidates until it becomes clear which guess is correct. _
With a token of length 32 and a character space of size 16 (e.g. hex), the attacker needs an average of approximately 1,000 request if no recovery mechanisms are needed. In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests. A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command & control center.
[In order to conduct the attack, the following conditions must be true]:
A sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds.
Some of these mitigations may protect entire applications, while others may only protect individual web pages.
* Disable HTTP compression.
* Separate the secrets from the user input.
* Randomize the secrets in each client request.
* Mask secrets (effectively randomizing by XORing with a random secret per request).
* Protect web pages from CSRF attacks.
* Obfuscate the length of web responses by adding random amounts of arbitrary bytes.
987798
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 19, 2013 Updated: July 30, 2013
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Notified: June 19, 2013 Updated: June 19, 2013
Unknown
We have not received a statement from the vendor.
Group | Score | Vector |
---|---|---|
Base | 2.6 | AV:N/AC:H/Au:N/C:P/I:N/A:N |
Temporal | 2.3 | E:F/RL:W/RC:C |
Environmental | 3.2 | CDP:ND/TD:H/CR:H/IR:H/AR:ND |
Thanks goes to the following individuals for reporting this vulnerability:Angelo Prado, Salesforce.comNeal Harris, SquareYoel Gluck, Salesforce.com
This document was written by Todd Lewellen.
CVE IDs: | CVE-2013-3587 |
---|---|
Date Public: | 2012-09-20 Date First Published: |
breachattack.com/resources/BREACH%20-%20BH%202013%20-%20PRESENTATION.pdf
breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
cwe.mitre.org/data/definitions/310.html
security.stackexchange.com/questions/20406/is-http-compression-safe#20407
www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
71.3%