Stonesoft Corp. Security Advisory
| Date: | May 5, 2003 |
| Title: | Multiple OpenSSL Vulnerabilities |
| Refs: | CAN-2003-0147
CAN-2003-0131 CAN-2003-0078 |
The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.
If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.
1. Overview
OpenSSL announced from 19 February 2003 through 19 March 2003 several timing-based attacks on OpenSSL implementations. These advisories included the following:
Klima-Pokorny-Rosa attack on RSA in SSL/TLS (CAN-2003-0131)
Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack.
Timing-based Attack on RSA Keys (CAN-2003-0147)
Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on.
Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The performance impact of blinding appears to be small (a few percent).
Timing-based Attacks on SSL/TLS with CBC Encryption (CAN-2003-0078)
In a research paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.
The attack assumes that multiple SSL or TLS connections involve a common fixed plaintext block, such as a password. An active attacker can substitute specifically made-up ciphertext blocks for blocks sent by legitimate SSL/TLS parties and measure the time until a response arrives: SSL/TLS includes data authentication to ensure that such modified ciphertext blocks will be rejected by the peer (and the connection aborted), but the attacker may be able to use timing observations to distinguish between two different error cases, namely block cipher padding errors and MAC verification errors. This is sufficient for an adaptive attack that finally can obtain the complete plaintext block.
2. StoneGate
The StoneGate firewall/VPN distribution includes OpenSSL software. OpenSSL is used in StoneGate to secure the intra-system communications between the components of the firewall/VPN system. Communications are encrypted betwen the engines and the management and log servers, and the management components and the GUI client using OpenSSL technology.
Based on the nature of the attacks, a StoneGate system with a properly defined security policy is at minimal risk to the above attacks. The StoneGate firewall/VPN gateways only allow communications from specific management and log servers, and the attacks would require a man-in-the-middle approach, spoofing the IP address of the management system. Stonesoft recommends that the management system always be placed on a trusted network, where all traffic to the system is protected by the StoneGate firewall itself.
StoneGate 2.0.8 and earlier include vulnerable versions of OpenSSL. Stonesoft has released StoneGate 2.0.9, which has a fixed implementation of OpenSSL. The new release will be shipped automatically to all customers with valid support and maintenance contracts; and becomes the latest official 2.0 release of StoneGate.
3. StoneBeat HA
StoneBeat HA does not use OpenSSL and is not affected.
4. StoneBeat Clustering Products
All StoneBeat clustering products use SSLv3 for control connections.
All SSL encrypted control communications are passed between the management system using the control network, TCP port number 3002. Communication to StoneBeat control ports should be limited to minimum in a firewall rulebase or by using a secure control interface between the cluster nodes and management system. A secure interface means a network which is not accessible from any networks that can be considered as possible source of malicious operations.
There will be a patch for all products in a timely manner. The patches will be available at http://www.stonesoft.com/download/.
5. Appendices
Stonesoft's Security Analysis Group's PGP key is available at: ftp://download.stonesoft.com/web/Support/Stonesoft Security Alert.asc
To report or inquire about a security problem with Stonesoft software, contact one or more of the following:
- Stonesoft support
- Stonesoft Security Analysis Group. Send e-mail to: security-alert@stonesoft.com
Copyright 2001-2003 Stonesoft Corp. All rights reserved.
Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.