Microsoft today issued an advisory warning Windows users that Secure Channel, or Schannel, the Windows implementation of SSL/TLS, is vulnerable to the FREAK attack.
Disclosed this week, FREAK (CVE-2015-1637) is the latest big Internet bug. It affects a number of SSL clients, including OpenSSL, and enables attackers to force clients to downgrade to weakened ciphers that can be broken and then supposedly encrypted traffic can be sniffed via man-in-the-middle attacks.
Microsoft warned that Schannel is not immune to FREAK exploits, though it said it has not received any reports of public attacks. Windows users can expect either a security bulletin released on a regularly scheduled Patch Tuesday update, or an out-of-band patch.
Microsoft said that Windows servers are not impacted if in their default configuration, in which export ciphers such as the RSA cipher in question with FREAK are disabled.
Microsoft suggested a few workarounds that include disabling RSA key exchange ciphers via the registry for Windows Server 2003 systems. For later versions of Windows, Microsoft said RSA key exchange ciphers may be disabled using Group Policy Object Editor.
The export ciphers are a remnant of the crypto wars of the 1980s and 1990s; SSL clients will accept the weaker RSA keys without asking for them. The RSA keys in question are 512-bit and were approved by the U.S. government for overseas export and it was assumed that most servers no longer supported them.
“The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today,” cryptographer Matthew Green of Johns Hopkins University wrote in a blog post explaining the vulnerability and its consequences.
“The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use. Or if you prefer modern terms, think of it as the original ‘golden master key.'”
Given today’s modern computing power, an attacker could crack the weaker keys in a matter of hours using processing power available from providers such as Amazon, for example.
“What this means is that you can obtain that RSA key once, factor it, and break every session you can get your ‘man in the middle’ mitts on until the server goes down. And that’s the ballgame,” Green said.