OpenSSL Patches High-Severity OCSP Bug, Mitigates SWEET32 Attack

2016-09-23T15:47:13
ID THREATPOST:92734AB0515417387ACE7EE44D1D5100
Type threatpost
Reporter Michael Mimoso
Modified 2016-09-23T19:47:13

Description

A vulnerability in the OpenSSL implementation of the Online Certificate Status Protocol (OCSP) was patched this week, closing a denial-of-service weakness in affected servers.

The patch was the most severe of 14 released yesterday by OpenSSL.

OCSP is an alternative in many cases to Certificate Revocation Lists where a client can use the protocol to ping a server requesting the status of a digital certificate.

The vulnerability, CVE-2016-6304, can be exploited by a malicious client by sending a large OCSP Status Request extension.

“If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server,” OpenSSL said in its advisory. “This will eventually lead to a denial of service attack through memory exhaustion.”

Researchers from Qihoo 360 of China privately disclosed the vulnerability.

“A server with default configuration would allow unbounded memory allocation of the OCSP ids every time a renegotiation occurs even if the server is not configured with OCSP,” Qihoo 360 said in its report on the bug. “The OCSP id can, according to the spec, consume up to 65,535 bytes of memory. Theoretically, an attacker could continually reneg with the server thus causing unbounded memory growth on the server up to 64k each time.”

The vulnerability affects default configurations of OpenSSL 1.1.0 and later; versions prior to 1.0.1g are not affected, OpenSSL said. OpenSSL 1.1.0 should be upgraded to 1.1.0a, 1.0.2 to 1.0.2i, and 1.0.1 to 1.0.1u.

“In 1.0.2 an attacker could grow the memory usage on the server by approx 16k per reneg as the maximum overall ClientHello size is set to 16,384 bytes,” Qihoo 360 said. “In version 1.1.0, along with the maximum size of a ClientHello increased to 131,396 bytes, the memory growth would be near 64k per reneg.”

Linux and BSD distributors Debian, Ubuntu, RedHat/CentOS and FreeBSD have also updated their respective software.

Of the remaining 13 vulnerabilities, patched, 12 were rated low severity by OpenSSL. The other was rated moderate severity and could lead to a denial-of-service condition where SSL or TLS would hang during a SSL_peek() call if an empty record is sent. The bug affected OpenSSL 1.1.0 and users are urged to upgrade to 1.1.0a.

OpenSSL also mitigated the SWEET32 vulnerability, CVE-2016-2183. Sweet32 was disclosed in August and affected 64-bit ciphers such as Triple-DES (3DES) and Blowfish and could allow an attacker to recover authentication cookie data from 3DES traffic, and usernames and passwords from OpenVPN traffic, which is secured by Blowfish.

As expected, OpenSSL moved 64-bit ciphers from the high cipherstring group to medium in OpenSSL 1.0.1 and 1.0.2. OpenSSL 1.1.0 disables these ciphersuites by default.

The attack is a collision attack against these ciphers in CBC mode, or cipher block chaining; 64-bit ciphers are still supported in TLS, IPsec, SSH and other protocols. The researchers said that 3DES support for HTTPS servers that show in Alexa’s top website list hovers between 1 percent and 2 percent of traffic on Firefox, Internet Explorer, Chrome and Android 5.0 integrated browser.

SWEET32 is one of the first relatively practical attacks against 64-bit suites, and can be executed with the resources at the disposal of a nation-state or well stocked criminal enterprise.