COMMAND

    PKCS#1

SYSTEMS AFFECTED

    Most software using PKCS#1

PROBLEM

    PKCS#1 is a standard for encrypting data using the RSA  public-key
    cryptosystem. Its intended use  is in the construction  of digital
    signatures  and  digital  envelopes.   One  use  for  the  digital
    envelopes constructed using  PKCS#1 is to  provide confidentiality
    during the  session key  negotiation of  an SSL-encrypted session.
    The SSL protocol is widely used to encrypt traffic to and from web
    servers to  protect the  privacy of  information such  as personal
    data or a  credit card number,  as it traverses  the internet.   A
    sophisticated intruder  may be  able to  use the  vulnerability in
    PKCS#1 to recover information from an SSL-encrypted session.   Web
    pages employing SSL are accessed using the HTTPS protocol,  rather
    than the  HTTP protocol.   More information  about PKCS#1  can  be
    found at

        http://www.rsa.com/rsalabs/pubs/PKCS/

    Additional  information  regarding  this  vulnerability  will   be
    available at

        http://www.bell-labs.com

    This vulnerability involves a chosen ciphertext attack  discovered
    by  researcher   Daniel  Bleichenbacher   at  Bell   Labs  against
    interactive key  establishment protocols  that use  PKCS1, such as
    SSL.

    This vulnerability  does not  affect all  PKCS#1-enabled products.
    The attack is  not effective against  protocols in which  there is
    not  an  interactive  session  setup,  or where the error messages
    returned  by  the  server  do  not  distinguish among the types of
    failures. In particular, this vulnerability does not affect S/MIME
    or SET.

    Under some circumstances,  an intruder who  is able to  observe an
    SSL-encrypted  session,  and  subsequently  interrogate the server
    involved in the  session, may be  able to recover  the session key
    used in  that session,  and then  recover the  encrypted data from
    that session.   The vulnerability  can only  be exploited  if  the
    intruder is able  to make repeated  session-establishment attempts
    to  the  same  vulnerable  web  server  which  was involved in the
    original  session.   In  addition,  the  server  must return error
    messages  that  distinguish  between  several  modes  of  failure.
    Although the number of session-establishment requests is large, it
    is significantly more efficient than a brute-force attack  against
    the  session  key.  Note  that,  although web servers comprise the
    majority of vulnerable  servers, other PKCS#1-enabled  servers may
    be vulnerable.

    Note that the server's public and private key are not at risk from
    this vulnerability, and that an  intruder is only able to  recover
    data  from  a  single  session  per  attack. Compromising a single
    session  does  not  give  an  intruder  any  additional ability to
    compromise subsequent sessions.  Further, as mentioned above, this
    vulnerability does not affect all PKCS#1-enabled products.

SOLUTION

    You may  obtain and  install a  patch for  this problem.  Although
    applying vendor patches is  the recommended course of  action, you
    may wish to  consider some of  the following steps  to reduce your
    exposure to this vulnerability.

      Examine your  log files  for repeated  error messages indicating
      failed requests  for session-establishment.  For example,  sites
      using C2Net's Stronghold server would see error messages of  the
      form

        [Tue Jun 23 22:08:17 1998] SSL accept error
        1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block type
        is not 02:rsa_pk1.c:207
        1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check
        failed:rsa_eay.c:330
        1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa
        decrypt:s3_srvr.c:1259

      If you are unable to upgrade for an extended period of time, you
      may wish to consider obtaining a new public/private key pair for
      servers.  Changing  the  key  pair  only protects those sessions
      which may  have been  previously recorded  by an  intruder. This
      does  not  prevent  an  intruder  from launching attacks against
      newly-recorded sessions. This should only be considered in those
      cases  where  upgrading  is  infeasible.  Again,  note  that the
      public/private key pair is not at risk from this vulnerability.

      Avoid using  the same  public/private key  pair across  multiple
      servers.

      A  large  increase  in  CPU  utilization  or network traffic may
      accompany  an  attack.   If  your  web  server  does not provide
      sufficient detail in its logs  to detect failures, you may  wish
      to  look  for  substantial  deviation  from  established   usage
      patterns, which may be indicative of an attack.

    Implementors  and  researchers  should  consult  RSA  Laboratories
    Bulletin  Number  7   for  additional  measures   to  reduce   the
    effectiveness of this attack. This document will be available at

        http://www.rsa.com/rsalabs/

    Below is a list of the vendors who have provided information for
    CERT advisory.

    C2Net Software, Inc.
    -------------------
    C2Net has developed a patch and is deploying new builds to  combat
    this problem. More information is available at:

        http://www.c2.net

    IBM
    ---
    It is  verified with  IBM support  that the  IBM eNetwork Firewall
    v3.2 for both AIX and Windows NT are vulnerable to the SSL attack.
    The eNetwork Firewall  team expects to  release a FixPack  (patch)
    by beginning of July 1998.

    Microsoft Corporation
    ---------------------
    The  Microsoft  Product  Security  Response  Team  has produced an
    update  for  the  following  affected  Microsoft  Internet  server
    software:

        - Microsoft Internet Information Server 3.0 and 4.0
        - Microsoft Site Server 3.0, Commerce Edition
        - Microsoft Site Server, Enterprise Edition
        - Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3 and SMTP)

    Microsoft's Internet  server software  provides SSL  2.0, SSL 3.0,
    PCT 1.0, and TLS  1.0 for securing Internet-based  communications.
    These  protocols  are  all  implemented  in  a  single file called
    SCHANNEL.DLL, which  is shared  by the  Microsoft Internet  server
    software listed above. Updating this single file will resolve this
    vulnerability for these Microsoft server products.  No updates are
    required for Internet client software, such as Internet  Explorer.
    This update is now  available. Microsoft strongly recommends  that
    customers  using  secure  SSL  Internet  services  with any of the
    Microsoft  products  listed  above  should  update  to  the latest
    version of SCHANNEL.DLL:

        http://www.microsoft.com/security/bulletins/ms98-002.htm

    For the many that asked, here is the KB article URL which includes
    a  link  to  the  128-bit  version  of  the SSL-fix. Note that the
    version on Microsoft's FTP site is only 40-bit export quality:

        http://support.microsoft.com/support/kb/articles/q148/4/27.asp

    If you are a US or  Canadian resident, you might want to  bookmark
    MS' secure download site at;

        http://mssecure.www.conxion.com/cgi-bin/ntitar.pl

    Netscape Communications Corporation
    -----------------------------------
    Netscape recommends that all customers running Netscape Enterprise
    Server software, Netscape Proxy Server, Netscape Messaging  Server
    and Netscape Collabra Server  download and install a  simple patch
    before  an  attack  ever   happens.   Product  updates  and   full
    information about  the countermeasures  are available  immediately
    from the Netscape Internet site at:

        http://help.netscape.com/products/server/ssldiscovery/index.html

    Open Market, Inc.
    -----------------
    Some of Open Market's products are affected by this vulnerability.
    Patches are available. For more information, go to:

        http://www.openmarket.com/security

    RSA Data Security, Inc.
    -----------------------
    Information from RSA regarding this vulnerability is available at:

        http://www.rsa.com/rsalabs/

    SSLeay
    ------
    Information   and   SSLeay   source   patches   related   to  this
    vulnerability are available at:

        http://www.ssleay.org/announce/

    Customers  are  urged  to  upgrade  as  a precaution to the latest
    version of  Stronghold 2.3,  which supports  this fix  as of build
    2010  for  customers  in  the  US/Canada, build 2051 for customers
    elsewhere. You can  determine which version  you are running  from
    the output of httpsd -v.