Маленький пудель ушел в GnuTLS (старые версии)

По | Октября 5, 2017

PoodleТЛ;доктор старше вариации GnuTLS (2.х) не изучены основные байт обивка в режимах ПГС. Множество безопасных дистрибутивов Linux, вместе с убунту ЛТС и Debian wheezy и (старый стабильный) использовать эту модель. Настоящее GnuTLS вариации, как правило, не влияет.

A few days in the past an email on the ssllabs mailing list catched my consideration. A Canonical developer had noticed that the SSL Labs test would report the GnuTLS model utilized in Ubuntu 14.04 (the present very lengthy time help version) as susceptible to the POODLE TLS vulnerability, whereas different assessments for a similar vulnerability confirmed no such issue.

A little background: The unique POODLE vulnerability is a weak spot of the outdated SSLv3 protocol that is now formally deprecated. POODLE relies on the reality that SSLv3 doesn’t specify the padding of the CBC modes and the padding bytes can comprise arbitrary bytes. Some time after POODLE Adam Langley reported that there’s a variant of POODLE in TLS, nevertheless whereas the unique POODLE is a protocol difficulty the POODLE TLS vulnerability is an implementation difficulty. TLS specifies the values of the padding bytes, however some implementations do not check them. Just lately Yngve Pettersen reported that there are different variants of this POODLE TLS vulnerability: Some implementations solely check components of the padding. That is the rationale why typically different assessments result in different outcomes. A check that solely modifications one byte of the padding will result in different outcomes than one which modifications all padding bytes. Yngve Pettersen uncovered POODLE variants in gadgets from Cisco (Cavium chip) and Citrix.

A little background: The unique POODLE vulnerability is a weak spot of the outdated SSLv3 protocol that is now formally deprecated. POODLE relies on the reality that SSLv3 doesn’t specify the padding of the CBC modes and the padding bytes can comprise arbitrary bytes. Some time after POODLE Adam Langley reported that there’s a variant of POODLE in TLS, nevertheless whereas the unique POODLE is a protocol difficulty the POODLE TLS vulnerability is an implementation difficulty. TLS specifies the values of the padding bytes, however some implementations do not check them. Just lately Yngve Pettersen reported that there are different variants of this POODLE TLS vulnerability: Some implementations solely check components of the padding. That is the rationale why typically different assessments result in different outcomes. A check that solely modifications one byte of the padding will result in different outcomes than one which modifications all padding bytes. Yngve Pettersen uncovered POODLE variants in gadgets from Cisco (Cavium chip) and Citrix.

для (i = 2; i <= pad; i++)
{
если (ciphertext.data[ciphertext.sizei] != pad)
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}

The padding in TLS is outlined that the rightmost byte of the final block accommodates the size of the padding. This worth can be utilized in all padding bytes. Nevertheless the size area itself will not be a half of the padding. Due to this fact if we’ve e. г. a padding size of three this could outcome in 4 bytes with the worth three. The above code misses one byte. i goes from 2 (setting block size minus 2) to pad (block size minus pad length), which units pad size minus one bytes. To appropriate it we have to change the loop to finish with pad+1. The code is totally reworked in present GnuTLS variations, due to this fact they do not appear to be affected. Upstream has formally introduced the tip of life for GnuTLS 2, however some secure Linux distributions nonetheless use it.

The story doesn’t finish right here: After I discovered this bug I talked about it with Juraj Somorovsky. He talked about that he already examine this earlier than: Within the paper of the Fortunate 13 атака. That was printed in 2013 by Nadhem AlFardan and Kenny Paterson. This is what the Fortunate 13 paper has to say about this difficulty on web page 13:

для (i = 2; i < pad; i++)
{
если (ciphertext->сведения[ciphertext->sizei] != ciphertext->сведения[ciphertext->size – 1])
pad_failed = GNUTLS_E_DECRYPTION_FAILED;
}

It will not be onerous to see that this loop also wants to cowl the sting case i=pad as a approach to perform a full padding test. Which means that one byte of what needs to be padding truly has a free format.

If you look carefully you will notice that this code is definitely different from the one I quoted above. The purpose being that the GnuTLS model in query already contained a repair that was utilized in response to the Fortunate 13 paper. Nevertheless what the Fortunate 13 paper missed is that the unique check was off by two bytes, not only one byte. Due to this fact it solely bought an incomplete repair decreasing the assault floor from two bytes to one.

In a later commit this entire code was reworked in response to the Fortunate 13 attack and there the issue bought mounted for good. Nevertheless that change by no means made it into model 2 of GnuTLS. Фиолетовый Шляпа / CentOS packages comprise a backport patch of these modifications, due to this fact they do not appear to be affected.

You would possibly marvel what the impression of this bug is. I am not completely conversant in the most important points of all of the attainable assaults, however the POODLE assault will get more and more more durable if fewer bytes of the padding can be freely set. It most definitely is unimaginable if there is simply one byte. The Fortunate 13 paper says: “This would allow, к примеру, a variant of the quick MAC assault of [28] even when variable size padding was not supported.”. Those that know extra about crypto than I do needs to be left with the judgement whether or not this may be virtually exploitabe.

Fixing this bug is an easy one-line patch I’ve connected here. It will silence all POODLE checks, nevertheless this does not apply all of the modifications that have been made in response to the Fortunate 13 assault. I am unsure if the code is virtually susceptible, however Fortunate 13 is a tough difficulty, just lately a variant of that assault was proven towards Amazon’s s2n library.

The lacking padding check for the primary byte bought CVE-2015-8313 assigned. At present I am conscious of Ubuntu LTS (now mounted) and Debian oldstable (Wheezy) being affected.


Пожалуйста, проверьте это отличный сервис по: http://www.test-net.org/services/unit-converter/ меню или посетить бесплатные услуги

[Всего голосов: 0    Средний: 0/5]

Оставить ответ

Ваш адрес электронной почты не будет опубликован. Обязательные поля помечены *