FreeBSD-SA-03:02.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL timing-based SSL/TLS attack

Category: core
Module: openssl
Announced: 2003-02-24
Credits: Brice Canvel (EPFL), Alain Hiltgen (UBS),
Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)
Affects: All FreeBSD versions prior to 4.6.2-RELEASE-p8,
4.7-RELEASE-p5, 5.0-RELEASE-p2
Corrected: 2003-02-20 15:07:20 UTC (RELENG_4)
2003-02-20 17:14:09 UTC (RELENG_5_0)
2003-02-20 20:42:04 UTC (RELENG_4_7)
2003-02-21 16:32:47 UTC (RELENG_4_6)
FreeBSD only: NO

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography

II. Problem Description

- From the OpenSSL Project advisory (see references):

In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge
Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and
demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.

The attack assumes that multiple SSL or TLS connections involve a
common fixed plaintext block, such as a password. An active attacker
can substitute specifically made-up ciphertext blocks for blocks sent
by legitimate SSL/TLS parties and measure the time until a response
arrives: SSL/TLS includes data authentication to ensure that such
modified ciphertext blocks will be rejected by the peer (and the
connection aborted), but the attacker may be able to use timing
observations to distinguish between two different error cases, namely
block cipher padding errors and MAC verification errors. This is
sufficient for an adaptive attack that finally can obtain the complete
plaintext block.

III. Impact

A powerful attacker (one who can intercept and replace network
messages between a client and a server) may be able to obtain
plaintext data from encrypted data streams in TLS/SSL using block
ciphers in CBC mode.

IV. Workaround

Disable the use of ciphersuites which use CBC mode in SSL or TLS. The
method of adjusting the list of acceptable ciphersuites varies from
application to application. See the application's documentation for

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p5), RELENG_4_6 (4.6.2-RELEASE-p8), or RELENG_5_0
(5.0-RELEASE-p2) security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.6, 4.7, and
5.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4-STABLE systems after 2003/02/14 and FreeBSD 4.8-PRERELEASE systems]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...penssl4s.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...sl4s.patch.asc

[FreeBSD 5.0 systems]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...penssl50.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...sl50.patch.asc

[FreeBSD 4.7 systems]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...penssl50.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...sl50.patch.asc

[FreeBSD 4.6 systems]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...penssl50.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...sl50.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO...makeworld.html >.

Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.

All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.


VII. References

<URL: http://www.openssl.org/news/secadv_20030219.txt>
<URL: http://cve.mitre.org/cgi-bin/cvename...=CAN-2003-0078>
<URL: http://www.openssl.org/~bodo/tls-cbc.txt>
<URL: http://lasecwww.epfl.ch/memo_ssl.shtml>