Researchers consult the Oracle

Some popular websites are still relying on obsolete cryptographic algorithms, leaving them vulnerable to attack as a result.

A scan by a team of researchers found a surprising number of high-profile sites were vulnerable to Cipher Block Chaining (CBC) Padding Oracle attacks. These attacks allow an adversary to decrypt TLS traffic by observing different server behaviors which depend on the validity of CBC padding.

An analysis of Alexa Top Million websites for CBC Padding Oracle vulnerabilities in Transport Layer Security (TLS) implementations revealed vulnerabilities in 1.83% of the sample. There was no one consistent factor, with the researchers identifying almost 100 different vulnerabilities during the exercise.

The researchers – Robert Merget, Juraj Somorovsky, Nimrod Aviram, Craig Young, Janis Fliegenschmidt, Jörg Schwenk, Yuval Shavitt – have put together a paper on their research, entitled ‘Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities’.

The full paper will be presented at USENIX Security conference in August 2019.

The disclosure process is still running with a handful of vendors, so the full list of runners and riders is being withheld. Pending full disclosure, the research team revealed their preliminary findings this week, with examples of the type of problems they had uncovered.

Use of the CBC mode of operation in some crypto implementations was a particular problem. Some vendors are considering whether they need to disable or even completely remove CBC cipher suites from their products.

Site admins need to apply security patches to defend their systems. Citrix has released a patch for CVE-2019-6485 and OpenSSL for CVE-2019-1559.

Left unresolved, the OpenSSL issue, for example, would have the following practical effects:

Hosts affected by this vulnerability immediately respond to most records with BAD_RECORD_MAC and CLOSE_NOTIFY alerts, and then close the connection. However, if the hosts encounter a zero-length record with valid padding and a MAC present, they do not immediately close the TCP connection, regardless of the validity of the MAC.

Unresolved server-side vulnerabilities leaves sites vulnerable to attacks similar to earlier issues like BEAST and POODLE. Site owners need to update their systems since the security risk is present even for consumers visiting sites with fully patched systems.

BEAST (Browser Exploit Against SSL/TLS) is a class of Cipher block chaining (CBC) vulnerability in TLS 1.0 that was first uncovered in 2011.

The POODLE attack – Padding Oracle On Downgraded Legacy Encryption – is a man-in-the-middle exploit that works by forcing systems running versions of TLS to fall back into using SSL 3.0, a legacy crypto technology that's feasible for modern computers to crack. The vulnerability was announced in October 2014.

Even though exploitation is fairly difficult, the researchers advised: “If you use one of the above implementations, you should still make sure you have patched.”

Merget told The Daily Swig that the volume of problems that researchers had uncovered didn't come as any particular surprise.

“Since CBC code is so hard to write and maintain it is unsurprising that these vulnerabilities pop up from time to time,” Merget explained. “Those ~100 vulnerabilities basically represent this fact. This is related to all previous TLS-Poodle variants.”

“Most severs have the same few vulnerabilities, but there are a lot [of] vulnerabilities which are just exhibited by individual servers. If you would remeasure in the upcoming weeks you would probably get way lower numbers.”

The analysis by the Merget’s team looks into the issue in greater depth than previous work in this area, he added.

“Usually people did not evaluate padding oracles in such depth. For example, SSL Labs only checks for CVE-20162-107 and 'some' TLS-Poodle variants,” he said. “We tried to create a clean evaluation which covers most of the different aspects and grouped distinct server behavior.”