by 3 6 0 information security unit－ au2o3t@3 6 0 CloudSec Team 1. Primer
Have been recently and 3 6 0 Nirvan Team DQ430 happy to participate in a encryption vendors of the annual General meeting, the results of openssl is also out of touch lively, maybe really in order to DH brother sent the gift, bitter us these security operations. hf!
3 6 0 including a portion of the information security practice of course, the“3 6 0 Information Security Department”progressively adhering to best security practices in the https and other ssl fields gradually made significant changes. Such as important system to prohibit unsafe cipher Suite to use, to reduce the ssl's attack surface.
We in today's internal transport repair complex were found interesting or that try to, we want to determine the prohibition of insecure cipher Suite will be on the Today of two high-risk vulnerabilities. CVE-2 0 1 6-0 8 0 0 CVE-2 0 1 6-0 7 0 3
0 8 0 0 vulnerability official has describes if it is a cipher none can be guaranteed to be not affected, or say that this is one of the mitigation measures.
However 0 7 0 3 is not the same, we spent a few hours trying to prove that if cipher none, it really is also not affected.
0 7 0 3 process is roughly as follows: client: send hello msg ( including ciphers, and a random number cr ）
server: send hello msg, including ciphers, and a random number sr ）
client: send masterkey msg specifies a cipher, and contains the masterkey part of the plaintext mkc and a portion of the ciphertext, mks, mkc length to 0
server: send verify msg
client: send finish msg
server: send finish msg
This process since the client can specify the unsafe algorithm, RC4-MD5 SSLv2 Kx=RSA(5 1 2) Au=RSA Enc=RC4(4 0) Mac=MD5 export） Resulting in the ciphertext part of the only 40
client according to the cr, mk = mkc||mks, and received the verify msg, can be calculated server key
server_key = MD5(mk||"0"||cr||sr)
So we believe that the attacks of conditions still need similar RC4_128_WITH_MD5 kit. a, The key is the client specifies the export cipher, the resulting mks is only 5 bytes
b, more than RC4_128_WITH_MD5 an export, by default, openssl is compiled out of a total of two export cipher: the EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(5 1 2) Au=RSA Enc=RC2(4 0) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(5 1 2) Au=RSA Enc=RC4(4 0) Mac=MD5 export
c, The calculated server_key is the session key, the parties can each calculate the server_key = MD5(mk||"0"||cr||sr) client_key = MD5(mk||"1"||cr||sr) The“||”see RSA PKCS1#v1. 5）
d, the server response to verify the msg in the great mystery, is the ultimate use of the key, with sslv2 standard about, stay tuned.
3. At the end Although able to show that“3 6 0 information security Department”a safe practice can effectively resist the CVE-2 0 1 6-0 7 0 3 attacks, but still want everyone to follow the official recommendation to upgrade the corresponding patch. gl! The following is our basic repair suggestions:
Vulnerability ID: CVE-2 0 1 6-0 7 0 3 Vulnerability description: Used OpenSSL and supported SSLv2 Protocol the server can accept the pointer to the length of the non-zero non-export key components of the SSLv2 connection handshake, an attacker may use this flaw to decrypt the already established encrypted session. Vulnerability rating: high
Vulnerability ID: CVE-2 0 1 6-0 8 0 0 Vulnerability description: SSLv2 Protocol in the presence of a filled content of the defect, an attacker could use this flaw to decrypt using the new version of the SSL/TLS Protocol session by the RSA algorithm to encrypt the content. By this use, can be caused by DROWN attacks(Decrypting RSA using Obsolete and Weakened eNcryption) Vulnerability rating: high
Vulnerability details: https://www.openssl.org/news/secadv/20160301.txt
The affected service version: Apache: non-2. 4. x version Nginx: 0.7.64, a 0.8.18 and earlier versions Postfix: earlier than 2. 9. 1 4、2.10.8、2.11.6、3.0.2 the version (in 2 0 1 5. 0 7. 2 0 before release) Openssl: 1.0.2 a, 1.0.1 m, 1.0.0 r, 0.9.8 zf and earlier versions
OpenSSL version detection: openssl version If the version is lower than the fixed version, please update the openssl
For the web server: openssl s_client-connect test domain or IP:4 4 3-ssl2
For the SMTP server: openssl s_client-connect test domain or IP:2 5-starttls smtp-ssl2
If appear the following error message, then SSLv2 is disabled: 4 1 9:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt. c:4 2 8:
Repair steps: (1). Upgrade the OpenSSL package
CentOS, Redhat can use the following command to upgrade
The corresponding RPM package: CentOS 5: openssl-0.9.8 e-3 9. el5_11 and openssl-devel-0.9.8 e-3 9. el5_11, the openssl-perl-0.9.8 e-3 9. el5_11