Restart glitch could have enabled man-in-the-middle attacks

GnuTLS has patched a security flaw that made TLS 1.3 sessions vulnerable to attack

Open source cryptographic library GnuTLS has moved swiftly to patch a security flaw that made TLS 1.3 sessions vulnerable to attack when they were interrupted and then resumed.

GnuTLS is a communications library for implementing SSL, TLS, and DTLS protocols. It allows client applications to start secure sessions and provides an API to access these protocols, as well as APIs to parse and write X.509, PKCS #12, and other cryptographic structures.

For more than a year, the technology has been vulnerable to man-in-the-middle attacks that might have allowed an attacker to eavesdrop on sessions or manipulate data, according to security research.

Session resumption glitch

Fiona Klute, who discovered the GnuTLS bug, says she first uncovered evidence of problems while working on session resumption support for proxy connections in mod_gnutls.

Her setup consisted of two Apache servers with mod_gnutls: a frontend server to cache session tickets and try to resume sessions, and a backend server designed to issue and use session tickets.

The security bug emerged when she restarted the backend server to invalidate the session ticket the frontend server had cached – only to find that afterwards the session still resumed as normal.

“That absolutely shouldn’t happen because the tickets are supposed to be encrypted with a random key,” she told The Daily Swig. “So, I started investigating.”

Ticket to ride

It turned out that when a session was halted and then resumed, GnuTLS servers weren’t, as they should have been, encrypting the contents of the session ticket.

This, in theory, could have allowed anyone to read and use the ticket, either to impersonate the server, or, depending on the TLS version, to decrypt captured data.

READ MORE TLS 1.0/1.1 end of life: Support deadline looms for website encryption laggards

“To decrypt TLS 1.2 sessions – and probably TLS 1.3 early data, I haven’t tested but it should be possible – you’d need to be able capture network data somewhere between your targets, anything from listening on an open WiFi to state attackers doing bulk surveillance,” says Klute.

“So, you can’t attack random people over the internet, but if you already have access to a target’s network traffic it’s easy.”


Meanwhile, she says, an attacker already in a man-in-the-middle (MitM) position could have harnessed the security weakness to impersonate a server in order to eavesdrop on TLS 1.3 sessions or manipulate data.

“I’d say getting into the MitM position is the real hurdle here; the rest is a bit of time spent programming and testing,” she says.

It’s unclear how many users could have been affected. Encryption works correctly after the first rotation of the key used to protect tickets, safeguarding the server until the next restart, which by default happens after 18 hours.

“The scale is hard to judge,” says Klute. “It would depend on how widespread unpatched TLS servers using GnuTLS are, and also how often they are restarted.”

RECOMMENDED LadderLeak: Side-channel security flaws exploited to break ECDSA cryptography