ID

VAR-200303-0118

CVE

CVE-2003-0131

TITLE

SSL/TLS implementations disclose side channel information via PKCS #1 v1.5 version number extension

DESCRIPTION

The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack.". SSL/TLS implementations that respond distinctively to an incorrect PKCS #1 v1.5 encoded SSL/TLS version number expose the premaster secret to a modified Bleichenbacher attack. An attacker could decrypt a given SSL/TLS session or forge a signature on behalf of a vulnerable application's private RSA key. OpenSSL In RSA Is used for the encryption algorithm, PKCS#1 Secret value shared across the session between the client and server due to inadequate version number handling in the process ) There is a vulnerability that leaks.There is a possibility of decrypting the encrypted communication content. A problem with OpenSSL may leak sensitive information. A user could abuse the response of vulnerable servers to act as an oracle. By sending a large number of adaptive attacks, the possibility exists for a remote user to create a choice of ciphertext encrypted with the private key of the server. OpenSSL Security Advisory [19 March 2003] Klima-Pokorny-Rosa attack on RSA in SSL/TLS =========================================== Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Note that the server's RSA key is not compromised in this attack. OpenSSL releases up to 0.9.6i and 0.9.7a are vulnerable. The enclosed patch modifies SSL/TLS server behaviour to avoid the vulnerability. Security Patch -------------- The following patch can be applied to OpenSSL releases 0.9.6b up to 0.9.6i, 0.9.7, and 0.9.7a. --- s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14 +++ s3_srvr.c 19 Mar 2003 18:00:00 -0000 @@ -1447,7 +1447,7 @@ if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@ -1463,30 +1463,29 @@ (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (https://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ + p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; } } if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= References ---------- Report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa: https://eprint.iacr.org/2003/052/ The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0131 to this issue. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 URL for this Security Advisory: https://www.openssl.org/news/secadv_20030319.txt

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Design Error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Discovery credited to Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa.

SOURCES

LAST UPDATE DATE

2023-12-18T12:40:39.190000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE