-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:06.openssl Security Advisory The FreeBSD Project Topic: OpenSSL timing-based SSL/TLS attack Category: crypto Module: openssl Announced: 2003-03-21 Credits: Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa Affects: All FreeBSD versions prior to 4.6-RELEASE-p12, 4.7-RELEASE-p9, 5.0-RELEASE-p6 Corrected: 2003-03-20 21:07:20 UTC (RELENG_4) 2003-03-21 16:12:34 UTC (RELENG_4_7) 2003-03-21 16:12:03 UTC (RELENG_4_6) 2003-03-21 16:13:06 UTC (RELENG_5_0) FreeBSD only: NO I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial- grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description This advisory addresses two separate flaws recently fixed in OpenSSL: (1) an RSA timing attack, and (2) the Klima-Pokorny-Rosa attack. - - - From the OpenSSL Project advisories (see references): (1) Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. (2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. III. Impact RSA timing attack: An RSA private key may be compromised. Klima-Pokorny-Rosa attack: A vulnerable server, when faced with specially made-up RSA ciphertexts, can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. IV. Workaround RSA timing attack: Disable the use of RSA or enable RSA blinding in OpenSSL using the RSA_blinding_on() function. The method of adjusting the list of acceptable ciphersuites varies from application to application. See the application's documentation for details. Klima-Pokorny-Rosa attack: Disable the use of ciphersuites which use PKCS #1 v1.5 padding in SSL or TLS. The method of adjusting the list of acceptable ciphersuites varies from application to application. See the application's documentation for details. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7 (4.7-RELEASE-p9), RELENG_4_6 (4.6-RELEASE-p12), or RELENG_5_0 (5.0-RELEASE-p6) security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.6, 4.7, and 5.0 systems which have already been patched for the issues resolved in FreeBSD-SA-03:02.openssl. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in . Note that any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Patch - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.6 src/crypto/openssl/crypto/rsa/rsa_lib.c 1.2.2.7 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.7 RELENG_4_6 src/UPDATING 1.73.2.68.2.39 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.2.6.3 src/crypto/openssl/crypto/rsa/rsa_lib.c 1.2.2.3.6.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.3.6.3 src/sys/conf/newvers.sh 1.44.2.23.2.29 RELENG_4_7 src/UPDATING 1.73.2.74.2.11 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.3.2.2 src/crypto/openssl/crypto/rsa/rsa_lib.c 1.2.2.4.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.5.2.1 src/sys/conf/newvers.sh 1.44.2.26.2.11 RELENG_5_0 src/UPDATING 1.229.2.11 src/crypto/openssl/crypto/rsa/rsa_eay.c 1.8.2.2 src/crypto/openssl/crypto/rsa/rsa_lib.c 1.6.2.2 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.9.2.2 src/sys/conf/newvers.sh 1.6.2.2 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE+e3s9FdaIBMps37IRAufUAKCTht2X617uI3AB8G/RnRLNvmuFUwCffDNW wMVBJ2SE2dSq6JcNdCFT9jA= =PBbA -----END PGP SIGNATURE-----