Entries tagged as padding
cbc gnutls luckythirteen poodle security ssl tls vulnerability berserk bleichenbacher chrome encryption firefox nss openssl 0days 27c3 addresssanitizer adguard adobe aead aes afra aiglx algorithm altushost android antivir antivirus aok apache apt asan auskunftsanspruch axfr azure badkeys barcamp bash berlin bias bigbluebutton blog bodensee botnetz braunschweig browser bsi bsideshn bufferoverflow bugbounty bundesdatenschutzgesetz bundestrojaner bundesverfassungsgericht busby bypass c ca cacert ccc cccamp11 cellular certificate cfb chcounter chromium clamav clang clickjacking cloudflare cmi cms code compiz conflictofinterest cookie crash crypto cryptography csrf cve darmstadt datenschutz deb debian dell deolalikar diffiehellman dingens diploma diplomarbeit distributions dns domain drupal easterhegg edellroot eff email english eplus facebook fedora fileexfiltration firewall fortigate fortinet forwardsecrecy freak freesoftware freewvs frequency fsfe ftp fuzzing gajim gallery gcc gentoo ghost gimp git glibc gnupg gobi google gpg gsm gsoc gstreamer hackerone hacking hannover hash heartbleed helma http https infoleak informationdisclosure internetscan ircbot itsecurity jabber javascript jodconverter joomla karlsruhe kaspersky key keyexchange komodia leak lessig libreoffice linux malware maninthemiddle mantis math md5 memorysafety mephisto microsoft milleniumproblems mitm mobilephones modulobias moodle mozilla mpaa mplayer mrmcd mrmcd100b mrmcd101b multimedia mysql napster nessus netfiltersdk newspaper nist ntp ntpd observatory onlinedurchsuchung openbsc openbts openleaks openpgp openvas osmocombb otr owncloud packagemanagement panda papierlos password passwordalert passwort passwörter pdo pgp phishing php pnp privacy privatekey privdog protocolfilters provablesecurity pss python rand random rc2 redhat rhein rpm rsa rsapss rss s9y salinecourier schlüssel science serendipity server session sha1 sha2 sha256 sha512 shellbot shellshock sicherheit signatures slides smime snallygaster sni sniffing spam sqlinjection squirrelmail staatsanwaltschaft stacktrace study stuttgart subdomain sunras superfish support talk taz thesis tlsdate toendacms transvalid überwachung ubuntu unicef unicode update updates useafterfree userdir utf-8 verschlüsselung virus vlc vortrag vulnerabilities web webapps webmontag websecurity wiesbaden windows windowsxp wiretapping wordpress x509 xgl xine xmpp xsa xss zerodays zugangsdaten zzuf calendar cccamp cccamp15 certificateauthority certificates ipv6 letsencrypt libressl nginx ocsp ocspstapling openbsd planet revocation stadtmitte symantec breach cookies crime heist samesite time bugtracker core coredump github nextcloud segfault webroot webserver
Monday, November 30. 2015
A little POODLE left in GnuTLS (old versions)
tl;dr Older GnuTLS versions (2.x) fail to check the first byte of the padding in CBC modes. Various stable Linux distributions, including Ubuntu LTS and Debian wheezy (oldstable) use this version. Current GnuTLS versions are not affected.A few days ago an email on the ssllabs mailing list catched my attention. A Canonical developer had observed that the SSL Labs test would report the GnuTLS version used in Ubuntu 14.04 (the current long time support version) as vulnerable to the POODLE TLS vulnerability, while other tests for the same vulnerability showed no such issue.
A little background: The original POODLE vulnerability is a weakness of the old SSLv3 protocol that's now officially deprecated. POODLE is based on the fact that SSLv3 does not specify the padding of the CBC modes and the padding bytes can contain arbitrary bytes. A while after POODLE Adam Langley reported that there is a variant of POODLE in TLS, however while the original POODLE is a protocol issue the POODLE TLS vulnerability is an implementation issue. TLS specifies the values of the padding bytes, but some implementations don't check them. Recently Yngve Pettersen reported that there are different variants of this POODLE TLS vulnerability: Some implementations only check parts of the padding. This is the reason why sometimes different tests lead to different results. A test that only changes one byte of the padding will lead to different results than one that changes all padding bytes. Yngve Pettersen uncovered POODLE variants in devices from Cisco (Cavium chip) and Citrix.
I looked at the Ubuntu issue and found that this was exactly such a case of an incomplete padding check: The first byte wasn't checked. I believe this might explain some of the vulnerable hosts Yngve Pettersen found. This is the code:
for (i = 2; i <= pad; i++)
{
if (ciphertext.data[ciphertext.size - i] != pad)
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}The padding in TLS is defined that the rightmost byte of the last block contains the length of the padding. This value is also used in all padding bytes. However the length field itself is not part of the padding. Therefore if we have e. g. a padding length of three this would result in four bytes with the value 3. The above code misses one byte. i goes from 2 (setting block length minus 2) to pad (block length minus pad length), which sets pad length minus one bytes. To correct it we need to change the loop to end with pad+1. The code is completely reworked in current GnuTLS versions, therefore they are not affected. Upstream has officially announced the end of life for GnuTLS 2, but some stable Linux distributions still use it.
The story doesn't end here: After I found this bug I talked about it with Juraj Somorovsky. He mentioned that he already read about this before: In the paper of the Lucky Thirteen attack. That was published in 2013 by Nadhem AlFardan and Kenny Paterson. Here's what the Lucky Thirteen paper has to say about this issue on page 13:
for (i = 2; i < pad; i++)
{
if (ciphertext->data[ciphertext->size - i] != ciphertext->data[ciphertext->size - 1])
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}It is not hard to see that this loop should also cover the edge case i=pad in order to carry out a full padding check. This means that one byte of what should be padding actually has a free format.
If you look closely you will see that this code is actually different from the one I quoted above. The reason is that the GnuTLS version in question already contained a fix that was applied in response to the Lucky Thirteen paper. However what the Lucky Thirteen paper missed is that the original check was off by two bytes, not just one byte. Therefore it only got an incomplete fix reducing the attack surface from two bytes to one.
In a later commit this whole code was reworked in response to the Lucky Thirteen attack and there the problem got fixed for good. However that change never made it into version 2 of GnuTLS. Red Hat / CentOS packages contain a backport patch of those changes, therefore they are not affected.
You might wonder what the impact of this bug is. I'm not totally familiar with the details of all the possible attacks, but the POODLE attack gets increasingly harder if fewer bytes of the padding can be freely set. It most likely is impossible if there is only one byte. The Lucky Thirteen paper says: "This would enable, for example, a variant of the short MAC attack of [28] even if variable length padding was not supported.". People that know more about crypto than I do should be left with the judgement whether this might be practically exploitabe.
Fixing this bug is a simple one-line patch I have attached here. This will silence all POODLE checks, however this doesn't apply all the changes that were made in response to the Lucky Thirteen attack. I'm not sure if the code is practically vulnerable, but Lucky Thirteen is a tricky issue, recently a variant of that attack was shown against Amazon's s2n library.
The missing padding check for the first byte got CVE-2015-8313 assigned. Currently I'm aware of Ubuntu LTS (now fixed) and Debian oldstable (Wheezy) being affected.