Overview:We have just completed our analysis on the impact of the FREAK vulnerability (CVE-2015-0204) on our NET-OS product. The vulnerability that has been listed in the notice, deal with the ability of a man in the middle (MitM) attacker being able to inject messages into the encrypted stream so that the data can be recovered. The current cost of conducting this attack, is approx. $100 US dollars, and 11 hours of time on an Amazon EC2 compute node for each decrypted stream.
This attack can happen when a vulnerable client and server both support EXPORT cipher lists. When these are supported, an attacker can conduct an RSA to an EXPORT_RSA downgrade attack while offering a weak ephemeral RSA key in a noncompliant role. The CVE-2015-0204 only applies to client code based on OpenSSL.
It is Digi’s position that to mitigate this risk, we suggest that all of our NET-OS customers re-compile their application code to disable ALL EXPORT ciphers for their server code. We also suggest that this be done for client side code as well.
Digi’s current evaluation of the threat to the NETOS system is considered LOW at this time. This is due to the following facts:
However, Digi is committed to reviewing this on a continuous basis. Since Digi is committed to security, we are planning on updating the OpenSSL code within the NETOS product. At this time, no definitive date is scheduled.
- This is a MitM attack, this adds significant complexity, and effectively changes this to a “local” attack, as it is one that cannot be done remotely.
- The cost of breaking the cipher is still quite expensive. When compared to the number of streams that are initiated, this could become expensive quickly.
- This attack would have to be done very quickly, as many connections do not stay around for more than 12+ hours, which at the time (per the references below) it would take to crack this key.
The Attack Process:
Below is the attack process, as defined by Assistant Research Professor Matthew Green of Johns Hopkins University's Information Security Institute in Maryland - See more at: http://thehackernews.com/2015/03/freak-openssl-vulnerability.html#sthash.Py4ZXAbD.dpuf
How to fix:
- In the client's Hello message, it asks for a standard 'RSA' ciphersuite.
- The MITM attacker changes this message to ask for 'export RSA'.
- The server responds with a 512-bit export RSA key, signed with its long-term key.
- The client accepts this weak key due to the OpenSSL/Secure Transport bug.
- The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
- When the client encrypts the 'pre-master secret' to the server, the attacker can now decrypt it to recover the TLS 'master secret'.
- From here on out, the attacker sees plain text and can inject anything it wants.
Since the NETOS product is a product that is provided as a source code product to customers, in order to change the default cipher list for a listening application, this must be done within a Digi’s customers own application code.
Below is an example of lines of code within a customer application supporting an encrypted server application:
static unsigned char cipher_list = SSL_CIPHER_LIST_HTTPS_DEFAULT;
static int cipher_list_len= SSL_CIPHER_LIST_HTTPS_DEFAULT_LEN;
The lines above include the weak ciphers that need to be disabled on the server end. To disable these cipher list, we suggest only using the AES128 or AES256 bit ciphers. To do this, change the lines above to the following:
static unsigned char cipher_list = SSL_CIPHER_LIST_AES_DEFAULT; static int cipher_list_len= SSL_CIPHER_LIST_AES_DEFAULT_LEN;
For client side code, the process is similar. To set the options with the OpenSSL library, the SSL_CTX_set_cipher_list function needs to be called with ciphers that are not EXPORT ciphers. Suggestion is to call with the “AES” list of ciphers.