Many thanks! On Wed, Sep 9, 2020 at 4:16 PM Mark J Cox <m...@openssl.org> wrote:
> I just spotted it via twitter, https://raccoon-attack.com/ > > Mark > > On Wed, Sep 9, 2020 at 2:08 PM Dmitry Belyavsky <beld...@gmail.com> wrote: > > > > Could you please let me know when it is available? > > > > On Wed, Sep 9, 2020 at 3:51 PM Mark J Cox <m...@openssl.org> wrote: > >> > >> They should be releasing their paper very soon (today). > >> > >> Regards, Mark > >> > >> On Wed, Sep 9, 2020 at 1:45 PM Dmitry Belyavsky <beld...@gmail.com> > wrote: > >> > > >> > Is the description of the attack publicly available? > >> > > >> > On Wed, Sep 9, 2020 at 3:39 PM OpenSSL <open...@openssl.org> wrote: > >> >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- > >> >> Hash: SHA512 > >> >> > >> >> OpenSSL Security Advisory [09 September 2020] > >> >> ============================================= > >> >> > >> >> Raccoon Attack (CVE-2020-1968) > >> >> ============================== > >> >> > >> >> Severity: Low > >> >> > >> >> The Raccoon attack exploits a flaw in the TLS specification which > can lead to > >> >> an attacker being able to compute the pre-master secret in > connections which > >> >> have used a Diffie-Hellman (DH) based ciphersuite. In such a case > this would > >> >> result in the attacker being able to eavesdrop on all encrypted > communications > >> >> sent over that TLS connection. The attack can only be exploited if an > >> >> implementation re-uses a DH secret across multiple TLS connections. > Note that > >> >> this issue only impacts DH ciphersuites and not ECDH ciphersuites. > >> >> > >> >> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH > secret and > >> >> does not implement any "static" DH ciphersuites. > >> >> > >> >> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH > >> >> ciphersuite is used. These static "DH" ciphersuites are ones that > start with the > >> >> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA > names for these > >> >> ciphersuites all start with "TLS_DH_" but excludes those that start > with > >> >> "TLS_DH_anon_". > >> >> > >> >> OpenSSL 1.0.2e and below would reuse the DH secret across multiple > TLS > >> >> connections in server processes unless the SSL_OP_SINGLE_DH_USE > option was > >> >> explicitly configured. Therefore all ciphersuites that use DH in > servers > >> >> (including ephemeral DH) are vulnerable in these versions. In > OpenSSL 1.0.2f > >> >> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned > off as a > >> >> response to CVE-2016-0701. > >> >> > >> >> Since the vulnerability lies in the TLS specification, fixing the > affected > >> >> ciphersuites is not viable. For this reason 1.0.2w moves the affected > >> >> ciphersuites into the "weak-ssl-ciphers" list. Support for the > >> >> "weak-ssl-ciphers" is not compiled in by default. This is unlikely > to cause > >> >> interoperability problems in most cases since use of these > ciphersuites is rare. > >> >> Support for the "weak-ssl-ciphers" can be added back by configuring > OpenSSL at > >> >> compile time with the "enable-weak-ssl-ciphers" option. This is not > recommended. > >> >> > >> >> OpenSSL 1.0.2 is out of support and no longer receiving public > updates. > >> >> > >> >> Premium support customers of OpenSSL 1.0.2 should upgrade to > 1.0.2w. If > >> >> upgrading is not viable then users of OpenSSL 1.0.2v or below should > ensure > >> >> that affected ciphersuites are disabled through runtime > configuration. Also > >> >> note that the affected ciphersuites are only available on the server > side if a > >> >> DH certificate has been configured. These certificates are very > rarely used and > >> >> for this reason this issue has been classified as LOW severity. > >> >> > >> >> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod > Aviram and Juraj > >> >> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in > order to > >> >> allow co-ordinated disclosure with other implementations. > >> >> > >> >> Note > >> >> ==== > >> >> > >> >> OpenSSL 1.0.2 is out of support and no longer receiving public > updates. Extended > >> >> support is available for premium support customers: > >> >> https://www.openssl.org/support/contracts.html > >> >> > >> >> OpenSSL 1.1.0 is out of support and no longer receiving updates of > any kind. > >> >> The impact of this issue on OpenSSL 1.1.0 has not been analysed. > >> >> > >> >> Users of these versions should upgrade to OpenSSL 1.1.1. > >> >> > >> >> References > >> >> ========== > >> >> > >> >> URL for this Security Advisory: > >> >> https://www.openssl.org/news/secadv/20200909.txt > >> >> > >> >> Note: the online version of the advisory may be updated with > additional details > >> >> over time. > >> >> > >> >> For details of OpenSSL severity classifications please see: > >> >> https://www.openssl.org/policies/secpolicy.html > >> >> -----BEGIN PGP SIGNATURE----- > >> >> > >> >> iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335 > >> >> 7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F > >> >> KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb > >> >> 5rHRLB3DDoyHEBzEEIjcqYTTThXW9ZSByVK9SKpC78IRM/B2dfd0+j4hIB/kDC/E > >> >> G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu > >> >> QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk > >> >> Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb > >> >> ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280 > >> >> dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3 > >> >> fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry > >> >> pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj > >> >> RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU= > >> >> =U7OO > >> >> -----END PGP SIGNATURE----- > >> > > >> > > >> > > >> > -- > >> > SY, Dmitry Belyavsky > > > > > > > > -- > > SY, Dmitry Belyavsky > -- SY, Dmitry Belyavsky