COMMAND
PKCS#1
SYSTEMS AFFECTED
Most software using PKCS#1
PROBLEM
PKCS#1 is a standard for encrypting data using the RSA public-key
cryptosystem. Its intended use is in the construction of digital
signatures and digital envelopes. One use for the digital
envelopes constructed using PKCS#1 is to provide confidentiality
during the session key negotiation of an SSL-encrypted session.
The SSL protocol is widely used to encrypt traffic to and from web
servers to protect the privacy of information such as personal
data or a credit card number, as it traverses the internet. A
sophisticated intruder may be able to use the vulnerability in
PKCS#1 to recover information from an SSL-encrypted session. Web
pages employing SSL are accessed using the HTTPS protocol, rather
than the HTTP protocol. More information about PKCS#1 can be
found at
http://www.rsa.com/rsalabs/pubs/PKCS/
Additional information regarding this vulnerability will be
available at
http://www.bell-labs.com
This vulnerability involves a chosen ciphertext attack discovered
by researcher Daniel Bleichenbacher at Bell Labs against
interactive key establishment protocols that use PKCS1, such as
SSL.
This vulnerability does not affect all PKCS#1-enabled products.
The attack is not effective against protocols in which there is
not an interactive session setup, or where the error messages
returned by the server do not distinguish among the types of
failures. In particular, this vulnerability does not affect S/MIME
or SET.
Under some circumstances, an intruder who is able to observe an
SSL-encrypted session, and subsequently interrogate the server
involved in the session, may be able to recover the session key
used in that session, and then recover the encrypted data from
that session. The vulnerability can only be exploited if the
intruder is able to make repeated session-establishment attempts
to the same vulnerable web server which was involved in the
original session. In addition, the server must return error
messages that distinguish between several modes of failure.
Although the number of session-establishment requests is large, it
is significantly more efficient than a brute-force attack against
the session key. Note that, although web servers comprise the
majority of vulnerable servers, other PKCS#1-enabled servers may
be vulnerable.
Note that the server's public and private key are not at risk from
this vulnerability, and that an intruder is only able to recover
data from a single session per attack. Compromising a single
session does not give an intruder any additional ability to
compromise subsequent sessions. Further, as mentioned above, this
vulnerability does not affect all PKCS#1-enabled products.
SOLUTION
You may obtain and install a patch for this problem. Although
applying vendor patches is the recommended course of action, you
may wish to consider some of the following steps to reduce your
exposure to this vulnerability.
Examine your log files for repeated error messages indicating
failed requests for session-establishment. For example, sites
using C2Net's Stronghold server would see error messages of the
form
[Tue Jun 23 22:08:17 1998] SSL accept error
1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block type
is not 02:rsa_pk1.c:207
1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:rsa_eay.c:330
1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa
decrypt:s3_srvr.c:1259
If you are unable to upgrade for an extended period of time, you
may wish to consider obtaining a new public/private key pair for
servers. Changing the key pair only protects those sessions
which may have been previously recorded by an intruder. This
does not prevent an intruder from launching attacks against
newly-recorded sessions. This should only be considered in those
cases where upgrading is infeasible. Again, note that the
public/private key pair is not at risk from this vulnerability.
Avoid using the same public/private key pair across multiple
servers.
A large increase in CPU utilization or network traffic may
accompany an attack. If your web server does not provide
sufficient detail in its logs to detect failures, you may wish
to look for substantial deviation from established usage
patterns, which may be indicative of an attack.
Implementors and researchers should consult RSA Laboratories
Bulletin Number 7 for additional measures to reduce the
effectiveness of this attack. This document will be available at
http://www.rsa.com/rsalabs/
Below is a list of the vendors who have provided information for
CERT advisory.
C2Net Software, Inc.
-------------------
C2Net has developed a patch and is deploying new builds to combat
this problem. More information is available at:
http://www.c2.net
IBM
---
It is verified with IBM support that the IBM eNetwork Firewall
v3.2 for both AIX and Windows NT are vulnerable to the SSL attack.
The eNetwork Firewall team expects to release a FixPack (patch)
by beginning of July 1998.
Microsoft Corporation
---------------------
The Microsoft Product Security Response Team has produced an
update for the following affected Microsoft Internet server
software:
- Microsoft Internet Information Server 3.0 and 4.0
- Microsoft Site Server 3.0, Commerce Edition
- Microsoft Site Server, Enterprise Edition
- Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3 and SMTP)
Microsoft's Internet server software provides SSL 2.0, SSL 3.0,
PCT 1.0, and TLS 1.0 for securing Internet-based communications.
These protocols are all implemented in a single file called
SCHANNEL.DLL, which is shared by the Microsoft Internet server
software listed above. Updating this single file will resolve this
vulnerability for these Microsoft server products. No updates are
required for Internet client software, such as Internet Explorer.
This update is now available. Microsoft strongly recommends that
customers using secure SSL Internet services with any of the
Microsoft products listed above should update to the latest
version of SCHANNEL.DLL:
http://www.microsoft.com/security/bulletins/ms98-002.htm
For the many that asked, here is the KB article URL which includes
a link to the 128-bit version of the SSL-fix. Note that the
version on Microsoft's FTP site is only 40-bit export quality:
http://support.microsoft.com/support/kb/articles/q148/4/27.asp
If you are a US or Canadian resident, you might want to bookmark
MS' secure download site at;
http://mssecure.www.conxion.com/cgi-bin/ntitar.pl
Netscape Communications Corporation
-----------------------------------
Netscape recommends that all customers running Netscape Enterprise
Server software, Netscape Proxy Server, Netscape Messaging Server
and Netscape Collabra Server download and install a simple patch
before an attack ever happens. Product updates and full
information about the countermeasures are available immediately
from the Netscape Internet site at:
http://help.netscape.com/products/server/ssldiscovery/index.html
Open Market, Inc.
-----------------
Some of Open Market's products are affected by this vulnerability.
Patches are available. For more information, go to:
http://www.openmarket.com/security
RSA Data Security, Inc.
-----------------------
Information from RSA regarding this vulnerability is available at:
http://www.rsa.com/rsalabs/
SSLeay
------
Information and SSLeay source patches related to this
vulnerability are available at:
http://www.ssleay.org/announce/
Customers are urged to upgrade as a precaution to the latest
version of Stronghold 2.3, which supports this fix as of build
2010 for customers in the US/Canada, build 2051 for customers
elsewhere. You can determine which version you are running from
the output of httpsd -v.