A team of researchers has disclosed the details of the timing vulnerability named Raccoon attack in TLS 1.2 and earlier versions. This is a server-side vulnerability that exploits a TLS specification side-channel. Successful exploitation of the vulnerability could lead an attacker to break the encryption and read sensitive communication.
In a paper published by Raccoon, researchers say, “The root cause for this side-channel is that the TLS standard encourages non-constant-time processing of the DH secret”.
Raccoon attack overview
According to the advisory published by OpenSSL, “The Raccoon attack exploits a flaw in the TLS specification, which can lead to an attacker being able to compute the pre-master secret in connections that have used a Diffie-Hellman (DH) based cipher suite. In such a case, this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections.”
The Raccoon is a complex timing attack and very hard to exploit. Exploiting this requires precise timing measurements and depends on the configuration of the specific server.
Mozilla, F5 Networks, OpenSSL, and Microsoft have released patches to fix this vulnerability.
- Mozilla tracks this vulnerability as CVE-2020-12413 and has fixed it by disabling the DH and DHE ciphers in Firefox 78. It was already planned before the Raccoon disclosure.
- F5 Networks tracks this vulnerability as CVE-2020-5929. Several F5 products were found vulnerable to a “special” version of the attack, without the need for precise timing measurements. F5 has published a security advisory to address this vulnerability.
- OpenSSL tracks this vulnerability as CVE-2020-1968. OpenSSL 1.1.1 is not vulnerable to this flaw as it never reuses a DH secret and does not implement any “static” DH cipher suites. OpenSSL has published a security advisory to address this vulnerability.
- Microsoft tracks this vulnerability as CVE-2020-1596. Please refer to the Microsoft security advisory.
The vulnerability has existed for over 20 years, and it was fixed in version TLS 1.3.
Test your browser
Qualys free online service ssllabs is available that enables users to perform a deep analysis of the configuration of any SSL web server on the public Internet. Your server may be vulnerable if “DH public server param (Ys) reuse” says “yes”.
Remediation
Please refer to the recently published Microsoft, OpenSSL, F5 advisories for applying patches.
Workaround/Mitigation Detection on F5 product
F5 network provides workarounds, Qualys Policy Compliance customers can evaluate workaround based on following Controls and refer to their evaluation definitions
1. 18787 Status of Ciphers used in Applied SSL Profiles on LTM Virtual Server
“PASS” Evaluation definition reference:
“matches”
“.+\|:\|.+\|:\|.+\|:\|(!DHE|!ADH).*”
with
“No LTM Servers Found”
“LTM Module Not Loaded (628318530717958)”
“Setting Not Found”
checked
2. 19397 Status of the Ciphers configured in SSL Client profile on the device
“PASS” Evaluation definition reference:
“matches”
“.*\|:\|.*(!DHE|!ADH).*”
with
“LTM Module Not Loaded (628318530717958)”
checked
3. 19415 Status of ‘Unclean Shutdown’ used in Applied SSL Profiles on LTM Virtual Server
“PASS” Evaluation definition reference:
“matches”
“.*\|:\|.*\|:\|.+\|:\|unclean-shutdown enabled”
with
“No LTM Servers Found”
“LTM Module Not Loaded (628318530717958)”
“Setting Not Found”
checked
4. 19416 Status of ‘Enabled Options’ from the ‘Options List’ used in Applied SSL Profiles on LTM Virtual Server
“PASS” Evaluation definition reference:
“matches”
“.*\|:\|.*\|:\|.+\|:\|.*single-dh-use”
with
“No LTM Servers Found”
“LTM Module Not Loaded (628318530717958)”
“Setting Not Found”
checked
Detection
Qualys customers can scan their network with QIDs 91674, 38796, 373445, and 373103 to detect the vulnerable assets. Kindly continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References