[UNIX] Stunnel - RSA Timing Attacks and Key Discovery

• Previous message: support@securiteam.com: "[NT] Flaw in Windows Script Engine Could Allow Code Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 23 Mar 2003 12:49:47 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Stunnel - RSA Timing Attacks and Key Discovery
------------------------------------------------------------------------

SUMMARY

Stunnel is an SSL wrapper able to act as an SSL client or server, enabling
non-SSL aware applications and servers to utilize SSL encryption.

As we reported previously:
<http://www.securiteam.com/unixfocus/5FP0C209FE.html> Timing Attack on
OpenSSL (OpenSSL Private Key Disclosure), Dan Boneh and David Brumley have
successfully implemented an RSA timing attack against OpenSSL-enabled SSL
software, including Stunnel.

DETAILS

Vulnerable systems:
 * Stunnel version 3.22 and prior
 * Stunnel version 4.04 and prior

Immune systems:
 * Stunnel version 3.23
 * Stunnel version 4.05

Impact:
If you use an RSA key for an SSL server, a determined cracker could
eventually determine your key. This could be used to impersonate your
server via a man-in-the-middle attack, or to decrypt all SSL connections
between client and server that can be sniffed/etc from the cracker's
location.

Mitigating factors:
The timing attack works best under situations where there is little or no
network lag, such as over a localhost connection. If the attacking host is
more distant that network packets have, a larger range of turnaround times
may make the attack less successful. However, a very slow CPU on the
Stunnel server (which would process the RSA number crunching more slowly)
may counteract the network lag.

The number of connections an attacking host must make to discover the key
is rather large, enough that you may well notice the increase in your CPU
usage, number of available sockets, or volume of log messages spewing
through your system.

Solution:
 * Recompile OpenSSL using the patch[1] they have supplied and then
recompile Stunnel.

Or

 * Apply the patch for Stunnel 3.x available at
<http://www.stunnel.org/patches/desc/blinding-3.x_bri.html>
http://www.stunnel.org/patches/desc/blinding-3.x_bri.html

Or the patch for Stunnel 4.x available at
<http://www.stunnel.org/patches/desc/blinding-4.x_bri.html>
http://www.stunnel.org/patches/desc/blinding-4.x_bri.html

And recompile Stunnel.

We expect Stunnel 4.05 and 3.23 will be released which incorporate these
or similar patches.

ADDITIONAL INFORMATION

The information has been provided by <mailto:bri@stunnel.org> Brian
Hatch.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NT] Flaw in Windows Script Engine Could Allow Code Execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]