Links

Ben Laurie blathering


Another Protocol Bites The Dust

For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end.

To make matters even worse, through a piece of (in retrospect) incredibly bad design, HTTP servers will, under some circumstances, replay that arbitrary prefix in a new authentication context. For example, this is what happens if you configure Apache to require client certificates for one directory but not another. Once it emerges that your request is for a protected directory, a renegotiation will occur to obtain the appropriate client certificate, and then the original request (i.e. the stuff from the bad guy) gets replayed as if it had been authenticated by the client certificate. But it hasn’t.

Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line “X-Swallow-This: “. That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request.

It’s obviously going to take a little while for the world to patch this – and since the news is spreading like wildfire I’ve put up a patch to OpenSSL that bans all renegotiation. I’m sure an official release will follow very shortly.

Note that the patch is against the head of the OpenSSL 0.9.8 development tree (that is, it is against 0.9.8l-dev). You may have to do a little work to patch against other versions. And if you intend to deploy this patch permanently, please change at least the textual version of the version number, which you can find in crypto/opensslv.h. Also note that if you need renegotiation for your site to work, I have no solution for you, other than you redesign your site. Sorry.

31 Comments

  1. Re: “if you need renegotiation for your site to work, I have no solution for you, other than you redesign your site”
    Now to be fair Ben, we have tentative agreement on a proposed fix and we have high hopes for it. Running code even exists for some TLS stacks! I expect an Internet Draft will be proposed publicly tomorrow.

    But it only works if everyone patches!

    Close eyes, hold hands, repeat “I believe in patching all clients and servers, I believe in patching all clients and servers, …”

    Comment by Marsh Ray — 5 Nov 2009 @ 9:01

  2. [...] This just in from Ben Lawrie: For the last 6 weeks or so, a bunch of us have been working on a really serious issue in SSL. In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end. [...]

    Pingback by The Musings of Chris Samuel » Blog Archive » Serious SSL Renegotiation Problem — 5 Nov 2009 @ 13:14

  3. Isn’t renegotiation how ISA works when used as a front-end for OWA?

    – joat

    Comment by joat — 5 Nov 2009 @ 13:35

  4. Could you clarify “it only works if everyone patches”. Are patched/unpatched incompatible with each other? Are unpatched clients and patched servers still vulnerable to the attack?

    Comment by Pádraig Brady — 5 Nov 2009 @ 14:39

  5. Does this affect SGC (re-)negotiation as well?

    Comment by Mel Harper — 5 Nov 2009 @ 16:14

  6. This is CVE-2009-3555

    Comment by Mark Cox — 5 Nov 2009 @ 16:47

  7. Hey Ben, I’m surprised to see you posting about this issue with such hyperbole. Maybe I don’t understand the full scope of this attack, but I’m pretty sure that I can reproduce it without the need for a fragile MITM attack that relies on renegotiation:

    [img src="https://www.sslsite.com/evil.html"]

    It’s called CSRF.

    Comment by Jules Bonnot — 5 Nov 2009 @ 16:49

  8. The problem seems to have nothing to do with SSL layer but stuff above it. Seems the patch is vs. wrong layer?

    Comment by Adam — 5 Nov 2009 @ 18:28

  9. [...] [...]

    Pingback by Abbiate. Molta. Paura. MITM-SSL | LastKnight.com — 5 Nov 2009 @ 21:57

  10. [...] Foto | Dazzie D Via | links [...]

    Pingback by Vulnerabilità nel protocollo TLS/SSL | Fabrizio Savella — 5 Nov 2009 @ 23:42

  11. Will this patch break session resumption?

    Comment by Alex Lam — 6 Nov 2009 @ 1:56

  12. OpenSSL is written by monkeys

    Comment by Anonymous — 6 Nov 2009 @ 6:24

  13. [...] Links: Another Protocol Bites The Dust [...]

    Pingback by TLS/SSL Vulnerabilità - N3mes1s — 6 Nov 2009 @ 9:48

  14. [...] Slashdot, Links, Reporte en [...]

    Pingback by SSL/TLS Vulnerability | MFSec — 6 Nov 2009 @ 12:10

  15. [...] LinksBen Laurie blathering « Another Protocol Bites The Dust [...]

    Pingback by Links » SSL MitM Attack, Part 2 — 6 Nov 2009 @ 12:46

  16. [...] http://www.links.org/?p=780 [...]

    Pingback by Grave vulnerabilidad descubierta en SSL/TSL « Tux Files — 6 Nov 2009 @ 12:53

  17. [...] http://www.links.org/?p=780 http://sunbeltblog.blogspot.com/2009/11/man-in-middle-attack-uses-ssl.html [...]

    Pingback by TLS Renegotiation Indication Extension – iniqua — 6 Nov 2009 @ 14:21

  18. [...] som skriver om detta: Extended subset, Ben Laurie (har även skapat en fix). Spara / dela med [...]

    Pingback by Ny allvarlig brist i SSL/TLS-protokollet | Kryptera - Information och nyheter om krypto — 6 Nov 2009 @ 17:59

  19. [...] and Steve Dispensa from security company PhoneFactor but not publicized pending a fix. There is a temporary workaround from the OpenSSL team, hopefully it’ll be resolved [...]

    Pingback by Blogrotate #5: The Weekly Roundup of News for System Administrators | Pythian Group Blog — 6 Nov 2009 @ 22:51

  20. Appears like session resumption will be broken if this fix is
    applied by a site – conversely it is testable whether a given ssl site
    has enforced this patch.

    Comment by Ram — 7 Nov 2009 @ 4:27

  21. In response to comment 7:
    CSRF is normally constrained to some extent by the same-origin policy; this isn’t. In your example, the response to the img request can’t be read by a script — it can only be displayed (and if there were a way for an attacker to read the displayed pixels, that would be a browser bug).

    Comment by David-Sarah Hopwood — 7 Nov 2009 @ 5:02

  22. > OpenSSL is written by monkeys

    I think Linus specifically noted that the OpenBSD committers are a group of *masturbating* monkeys.

    i.e., they care about security~

    Comment by Anonymous Coward — 7 Nov 2009 @ 6:42

  23. [...] cuenta: «Leo en Slashdot una noticia que se está extendiendo como la pólvora: se trata de una vulnerabilidad bastante seria en SSL. Resumidamente, se trata de un clásico man-in-the-middle que podría explotar la renegociación de [...]

    Pingback by Barrapunto | Descubierta grave vulnerabilidad en SSL/TLS « El camello, el Leon y el niño. O la evolución del perro al lobo — 7 Nov 2009 @ 11:50

  24. [...] реализаций протокола. Для OpenSSL уже выпущен временный патч, середыш которого сводится к пoлнoму отключению [...]

    Pingback by Ð’ протоколах SSL/TLS найдена критическая уязвимость » Боталка — 7 Nov 2009 @ 13:11

  25. [...] en Slashdot una noticia que se está extendiendo como la pólvora: se trata de una vulnerabilidad bastante seria en SSL. Resumidamente, se trata de un clásico man-in-the-middle que podría explotar la renegociación de [...]

    Pingback by Fallo de seguridad SSL y TLS | El mundo de IMD — 7 Nov 2009 @ 15:46

  26. [...] un post en Slashdot, una grave vulnerabilidad en el protocolo SSL podría permitir ataques de man-in-the-middle durante [...]

    Pingback by NetStorming » Seria vulnerabilidad en SSL — 8 Nov 2009 @ 2:50

  27. [...] реализаций протокола. Для OpenSSL уже выпущен временный патч (дополнение: исправления представлены в GnuTLS 2.8.5 и OpenSSL [...]

    Pingback by операционные системы Linux/BSD » Ð’ протоколах SSL/TLS найдена критическая уязвимость — 11 Nov 2009 @ 7:52

  28. [...] Laurie of Google was working on the renegotiation flaw around six weeks before it was made public, so it is perhaps unsurprising that 7 of the 24 safe sites are owned by [...]

    Pingback by 78% of most popular HTTPS are still vulnerable « onlinesecurityblog.info — 3 Dec 2009 @ 18:28

  29. [...] dealing with the recent SSL fun, I met Marsh Ray, who found the problem in the first place. Marsh has a website, [...]

    Pingback by Links » Extended Subsets — 17 Dec 2009 @ 17:38

  30. [...] Subset and Links carry extensive technical descriptions of various application protocol issues resulting from this [...]

    Pingback by Digital Threat » Blog Archive » SSL/TSL Protocol Vulnerability — 27 Feb 2010 @ 23:47

  31. [...] been 7 months since the TLS renegotiation problem went public and Opera’s security group have a couple of interesting articles about it. The [...]

    Pingback by Links » TLS Renegotiation, 7 Months On — 9 Jun 2010 @ 9:18

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress