SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
(OpenBSD Issues Fix) Re: OpenSSL Flaw in Processing Padding Errors May Let Remote Users Obtain Certain Plaintext Information
SecurityTracker Alert ID:  1006151
SecurityTracker URL:  http://securitytracker.com/id/1006151
CVE Reference:   CVE-2003-0078   (Links to External Site)
Date:  Feb 23 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.9.6i and 0.9.7a
Description:   A vulnerability was reported in OpenSSL when using CBC encryption. A remote user conducting a timing-based adaptive attack against connections with certain types of plaintext information may be able to determine the plaintext.

It is reported that a remote user with access to the encrypted traffic stream can substitute specially crafted cipher text blocks for valid cipher text blocks based on a fixed plaintext block (such as a password). The remote user can then measure the time between the injection and an error response. Timing differences between cipher padding errors and message authentication code (MAC) verification errors may yield enough information so that an adaptive attack can successfully obtain the original plain text block.

According to the report, OpenSSL is intended to treat block cipher padding errors in the same manner as MAC verification errors during record decryption. However, in the affected versions, the MAC verification step was skipped if a padding error was detected, permitting the attack to be successful.

The vendor notes that other SSL/TLS implementations may also be affected.

The vendor credits Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) with reporting this flaw.

Impact:   A remote user with access to the encrypted traffic stream and the encryption endpoint may be able to deterimine certain types of plaintext (repeated, common plain text) by conducting a timing-based adaptive attack.
Solution:   OpenBSD has released the following source code patches:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/007_ssl.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/021_ssl.patch

Vendor URL:  www.openssl.org/news/secadv_20030219.txt (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.1, 3.2

Message History:   This archive entry is a follow-up to the message listed below.
Feb 19 2003 OpenSSL Flaw in Processing Padding Errors May Let Remote Users Obtain Certain Plaintext Information



 Source Message Contents

Subject:  OpenBSD SSL Fix


SECURITY FIX: February 23, 2003

In ssl(8) an information leak can occur via timing by performing a MAC computation even if
incorrrect block cipher padding has been found, this is a countermeasure. Also, check for negative
sizes in memory allocation routines. A source code patch exists which fixes these two issues:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/007_ssl.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/021_ssl.patch


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC