OpenSSL Security Advisory

Dmitry Belyavsky beldmit at gmail.com
Wed Sep 9 13:23:36 UTC 2020


Many thanks!

On Wed, Sep 9, 2020 at 4:16 PM Mark J Cox <mark at openssl.org> wrote:

> I just spotted it via twitter, https://raccoon-attack.com/
>
> Mark
>
> On Wed, Sep 9, 2020 at 2:08 PM Dmitry Belyavsky <beldmit at gmail.com> wrote:
> >
> > Could you please let me know when it is available?
> >
> > On Wed, Sep 9, 2020 at 3:51 PM Mark J Cox <mark at openssl.org> wrote:
> >>
> >> They should be releasing their paper very soon (today).
> >>
> >> Regards, Mark
> >>
> >> On Wed, Sep 9, 2020 at 1:45 PM Dmitry Belyavsky <beldmit at gmail.com>
> wrote:
> >> >
> >> > Is the description of the attack publicly available?
> >> >
> >> > On Wed, Sep 9, 2020 at 3:39 PM OpenSSL <openssl at openssl.org> wrote:
> >> >>
> >> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> >> Hash: SHA512
> >> >>
> >> >> OpenSSL Security Advisory [09 September 2020]
> >> >> =============================================
> >> >>
> >> >> Raccoon Attack (CVE-2020-1968)
> >> >> ==============================
> >> >>
> >> >> Severity: Low
> >> >>
> >> >> The Raccoon attack exploits a flaw in the TLS specification which
> can lead to
> >> >> an attacker being able to compute the pre-master secret in
> connections which
> >> >> have used a Diffie-Hellman (DH) based ciphersuite. In such a case
> this would
> >> >> result in the attacker being able to eavesdrop on all encrypted
> communications
> >> >> sent over that TLS connection. The attack can only be exploited if an
> >> >> implementation re-uses a DH secret across multiple TLS connections.
> Note that
> >> >> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
> >> >>
> >> >> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH
> secret and
> >> >> does not implement any "static" DH ciphersuites.
> >> >>
> >> >> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> >> >> ciphersuite is used. These static "DH" ciphersuites are ones that
> start with the
> >> >> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA
> names for these
> >> >> ciphersuites all start with "TLS_DH_" but excludes those that start
> with
> >> >> "TLS_DH_anon_".
> >> >>
> >> >> OpenSSL 1.0.2e and below would reuse the DH secret across multiple
> TLS
> >> >> connections in server processes unless the SSL_OP_SINGLE_DH_USE
> option was
> >> >> explicitly configured. Therefore all ciphersuites that use DH in
> servers
> >> >> (including ephemeral DH) are vulnerable in these versions. In
> OpenSSL 1.0.2f
> >> >> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned
> off as a
> >> >> response to CVE-2016-0701.
> >> >>
> >> >> Since the vulnerability lies in the TLS specification, fixing the
> affected
> >> >> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> >> >> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> >> >> "weak-ssl-ciphers" is not compiled in by default. This is unlikely
> to cause
> >> >> interoperability problems in most cases since use of these
> ciphersuites is rare.
> >> >> Support for the "weak-ssl-ciphers" can be added back by configuring
> OpenSSL at
> >> >> compile time with the "enable-weak-ssl-ciphers" option. This is not
> recommended.
> >> >>
> >> >> OpenSSL 1.0.2 is out of support and no longer receiving public
> updates.
> >> >>
> >> >> Premium support customers of OpenSSL 1.0.2 should upgrade to
> 1.0.2w.  If
> >> >> upgrading is not viable then users of OpenSSL 1.0.2v or below should
> ensure
> >> >> that affected ciphersuites are disabled through runtime
> configuration. Also
> >> >> note that the affected ciphersuites are only available on the server
> side if a
> >> >> DH certificate has been configured. These certificates are very
> rarely used and
> >> >> for this reason this issue has been classified as LOW severity.
> >> >>
> >> >> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod
> Aviram and Juraj
> >> >> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in
> order to
> >> >> allow co-ordinated disclosure with other implementations.
> >> >>
> >> >> Note
> >> >> ====
> >> >>
> >> >> OpenSSL 1.0.2 is out of support and no longer receiving public
> updates. Extended
> >> >> support is available for premium support customers:
> >> >> https://www.openssl.org/support/contracts.html
> >> >>
> >> >> OpenSSL 1.1.0 is out of support and no longer receiving updates of
> any kind.
> >> >> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
> >> >>
> >> >> Users of these versions should upgrade to OpenSSL 1.1.1.
> >> >>
> >> >> References
> >> >> ==========
> >> >>
> >> >> URL for this Security Advisory:
> >> >> https://www.openssl.org/news/secadv/20200909.txt
> >> >>
> >> >> Note: the online version of the advisory may be updated with
> additional details
> >> >> over time.
> >> >>
> >> >> For details of OpenSSL severity classifications please see:
> >> >> https://www.openssl.org/policies/secpolicy.html
> >> >> -----BEGIN PGP SIGNATURE-----
> >> >>
> >> >> iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
> >> >> 7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
> >> >> KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
> >> >> 5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E
> >> >> G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
> >> >> QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
> >> >> Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
> >> >> ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
> >> >> dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
> >> >> fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
> >> >> pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
> >> >> RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
> >> >> =U7OO
> >> >> -----END PGP SIGNATURE-----
> >> >
> >> >
> >> >
> >> > --
> >> > SY, Dmitry Belyavsky
> >
> >
> >
> > --
> > SY, Dmitry Belyavsky
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-project/attachments/20200909/1b357b42/attachment.html>


More information about the openssl-project mailing list