On 2/21/2013 11:12 AM, Mozes, Rachel wrote:
Hi all,
Recently, OpenSSL Security Advisory sent a message about a new
vulnerability which was found and numbered as CVE-2013-0169. This
announce advises to all SSL and TLS users to upgrade the OpenSSL version.
But from a quick Google search, it looks like there is a contradiction
between the OpenSSL details description to the description of this issue
in many sites on the web:
http://en.securitylab.ru/nvd/437439.php ,
http://www.cvedetails.com/cve/CVE-2013-0169/ and
http://en.securitylab.ru/nvd/437439.php describe that this vulnerability
affects just "The TLS protocol *_1.1 and 1.2_ *and the DTLS protocol 1.0
and 1.2", but in the OpenSSL announcements it's described that this
effects also SSL and TLS 1.0: "**They also apply to implementations of
SSL 3.0 and *_TLS 1.0_* that incorporate countermeasures to previous
padding oracle attacks".
This is critical for us to know whether it's a typo mistake in the
OpenSSL announcements or in the sites I noted above. Can anyone please
assist us to in clearing up this point?
The OpenSSL security advisory links directly to the original
vulnerability report from a serious University. This report explains in
great detail that the security issue is in the countermeasures against
the old padding attacks. Those countermeasures are mandatory in TLS 1.1
and 1.2 implementations but are also necessary in any implementations of
older SSL versions (whose specifications were printed before the
countermeasures could be mentioned in their text).
So yes, this applies to all SSL and TLS versions (with the possible
exception of the insecure SSL 2), except for the following cases:
- If an SSL/TLS library is vulnerable to the much more serious old
padding attack, the new attack cannot make it worse than using the
old attack.
- If you use the (mostly insecure) RC4 algorithm, the issue does not occur.
- If you use the brand new AES-GCM mode (officially supported only under
TLS 1.2), this is safe from the attack and is believed to be
secure against all known attacks, but unlike the other algorithm
options, AES-GCM stands and falls on the strength of a single key
and a single cryptographic primitive, which increases the risk if
an attack is ever found against that one key/primitive.
The report explains new improved countermeasures that combat both
the old and the new attack, and specifically praises the OpenSSL
fix for being even better than their own demonstration code for
the countermeasures.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
