OpenSSL CVE-2 0 1 6-0 8 0 0 and CVE-2 0 1 6-0 7 0 3 bug fixes the details of pick-up fun-vulnerability warning-the black bar safety net

ID MYHACK58:62201672123
Type myhack58
Reporter 360信息安全部
Modified 2016-03-03T00:00:00


! /Article/UploadPic/2016-3/201633103039309.jpg

by 3 6 0 information security unit- au2o3t@3 6 0 CloudSec Team 1. Primer

Have been recently and 3 6 0 Nirvan Team DQ430 happy to participate in a encryption vendors of the annual General meeting, the results of openssl is also out of touch lively, maybe really in order to DH brother sent the gift, bitter us these security operations. hf!

2. Details

3 6 0 including a portion of the information security practice of course, the“3 6 0 Information Security Department”progressively adhering to best security practices in the https and other ssl fields gradually made significant changes. Such as important system to prohibit unsafe cipher Suite to use, to reduce the ssl's attack surface.

We in today's internal transport repair complex were found interesting or that try to, we want to determine the prohibition of insecure cipher Suite will be on the Today of two high-risk vulnerabilities. CVE-2 0 1 6-0 8 0 0 CVE-2 0 1 6-0 7 0 3

0 8 0 0 vulnerability official has describes if it is a cipher none can be guaranteed to be not affected, or say that this is one of the mitigation measures.

However 0 7 0 3 is not the same, we spent a few hours trying to prove that if cipher none, it really is also not affected.

0 7 0 3 process is roughly as follows: client: send hello msg ( including ciphers, and a random number cr )

server: send hello msg, including ciphers, and a random number sr )

client: send masterkey msg specifies a cipher, and contains the masterkey part of the plaintext mkc and a portion of the ciphertext, mks, mkc length to 0

server: send verify msg

client: send finish msg

server: send finish msg

This process since the client can specify the unsafe algorithm, RC4-MD5 SSLv2 Kx=RSA(5 1 2) Au=RSA Enc=RC4(4 0) Mac=MD5 export) Resulting in the ciphertext part of the only 40

client according to the cr, mk = mkc||mks, and received the verify msg, can be calculated server key

server_key = MD5(mk||"0"||cr||sr)

So we believe that the attacks of conditions still need similar RC4_128_WITH_MD5 kit. a, The key is the client specifies the export cipher, the resulting mks is only 5 bytes

b, more than RC4_128_WITH_MD5 an export, by default, openssl is compiled out of a total of two export cipher: the EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(5 1 2) Au=RSA Enc=RC2(4 0) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(5 1 2) Au=RSA Enc=RC4(4 0) Mac=MD5 export

c, The calculated server_key is the session key, the parties can each calculate the server_key = MD5(mk||"0"||cr||sr) client_key = MD5(mk||"1"||cr||sr) The“||”see RSA PKCS1#v1. 5)

d, the server response to verify the msg in the great mystery, is the ultimate use of the key, with sslv2 standard about, stay tuned.

3. At the end Although able to show that“3 6 0 information security Department”a safe practice can effectively resist the CVE-2 0 1 6-0 7 0 3 attacks, but still want everyone to follow the official recommendation to upgrade the corresponding patch. gl! The following is our basic repair suggestions:

Vulnerability ID: CVE-2 0 1 6-0 7 0 3 Vulnerability description: Used OpenSSL and supported SSLv2 Protocol the server can accept the pointer to the length of the non-zero non-export key components of the SSLv2 connection handshake, an attacker may use this flaw to decrypt the already established encrypted session. Vulnerability rating: high

Vulnerability ID: CVE-2 0 1 6-0 8 0 0 Vulnerability description: SSLv2 Protocol in the presence of a filled content of the defect, an attacker could use this flaw to decrypt using the new version of the SSL/TLS Protocol session by the RSA algorithm to encrypt the content. By this use, can be caused by DROWN attacks(Decrypting RSA using Obsolete and Weakened eNcryption) Vulnerability rating: high

Vulnerability details:

The affected service version: Apache: non-2. 4. x version Nginx: 0.7.64, a 0.8.18 and earlier versions Postfix: earlier than 2. 9. 1 4、2.10.8、2.11.6、3.0.2 the version (in 2 0 1 5. 0 7. 2 0 before release) Openssl: 1.0.2 a, 1.0.1 m, 1.0.0 r, 0.9.8 zf and earlier versions

Detection way:

OpenSSL version detection: openssl version If the version is lower than the fixed version, please update the openssl

For the web server: openssl s_client-connect test domain or IP:4 4 3-ssl2

For the SMTP server: openssl s_client-connect test domain or IP:2 5-starttls smtp-ssl2

If appear the following error message, then SSLv2 is disabled: 4 1 9:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt. c:4 2 8:

Repair steps: (1). Upgrade the OpenSSL package

CentOS, Redhat can use the following command to upgrade

yum clean

yum update openssl

The corresponding RPM package: CentOS 5: openssl-0.9.8 e-3 9. el5_11 and openssl-devel-0.9.8 e-3 9. el5_11, the openssl-perl-0.9.8 e-3 9. el5_11

[1] [2] next