1
Subject: OpenSSL Ciphersuite Downgrade Attack
2
Origin: other, http://openssl.org/news/secadv_20101202.txt
4
OpenSSL Security Advisory [2 December 2010]
6
OpenSSL Ciphersuite Downgrade Attack
7
=====================================
9
A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
10
workaround allows malicous clients to modify the stored session cache
11
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
12
on subsequent connections.
14
The OpenSSL security team would like to thank Martin Rex for reporting this
17
This vulnerability is tracked as CVE-2010-4180
19
OpenSSL JPAKE validation error
20
===============================
22
Sebastian Martini found an error in OpenSSL's J-PAKE implementation
23
which could lead to successful validation by someone with no knowledge
24
of the shared secret. This error is fixed in 1.0.0c. Details of the
25
problem can be found here:
27
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
29
Note that the OpenSSL Team still consider our implementation of J-PAKE
30
to be experimental and is not compiled by default.
32
This issue is tracked as CVE-2010-4252
37
All versions of OpenSSL contain the ciphersuite downgrade vulnerability.
39
Any OpenSSL based SSL/TLS server is vulnerable if it uses
40
OpenSSL's internal caching mechanisms and the
41
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this
42
by using the SSL_OP_ALL option).
44
Users of OpenSSL 0.9.8j or later who do not enable weak ciphersuites are
45
still vulnerable but the bug has no security implications as the attacker can
46
only change from one strong ciphersuite to another.
48
All users of OpenSSL's experimental J-PAKE implementation are vulnerable
49
to the J-PAKE validation error.
51
Recommendations for users of OpenSSL
52
=====================================
54
Users of all OpenSSL 0.9.8 releases including 0.9.8p should update
55
to the OpenSSL 0.9.8q release which contains a patch to correct this issue.
57
Alternatively do not set the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
58
and/or SSL_OP_ALL flags.
60
Users of OpenSSL 1.0.0 releases should update to the OpenSSL 1.0.0c release
61
which contains a patch to correct this issue and also contains a corrected
62
version of the CVE-2010-3864 vulnerability fix.
64
If upgrading is not immediately possible, the relevant source code patch
65
provided in this advisory should be applied.
67
Any user of OpenSSL's J-PAKE implementaion (which is not compiled in by
68
default) should upgrade to OpenSSL 1.0.0c.
75
ssl/s3_srvr.c | 5 +++++
76
2 files changed, 8 insertions(+)
78
Index: b/ssl/s3_clnt.c
79
===================================================================
82
@@ -815,8 +815,11 @@ int ssl3_get_server_hello(SSL *s)
83
s->session->cipher_id = s->session->cipher->id;
84
if (s->hit && (s->session->cipher_id != c->id))
86
+/* Workaround is now obsolete */
89
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
92
al=SSL_AD_ILLEGAL_PARAMETER;
93
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
94
Index: b/ssl/s3_srvr.c
95
===================================================================
98
@@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s)
102
+/* Disabled because it can be used in a ciphersuite downgrade
103
+ * attack: CVE-2010-4180.
106
if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
108
/* Special case as client bug workaround: the previously used cipher may
109
@@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s)
116
/* we need to have the cipher in the cipher