Impact
An erlang TLS server configured with cipher suites using rsa key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server’s private key itself. CVE-2017-1000385
Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed. Only TLS sessions established using RSA key exchange are vulnerable to this attack.
Exploiting this vulnerability to conduct a MiTM attack requires the attacker to complete the initial attack, which may require thousands of server requests, during the handshake phase of the targeted session within the window of the configured handshake timeout. This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the server. The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.
RSA key exchange is enabled by default although least prioritized if server order is honored. For such a cipher suite to be chosen it must also be supported by the client and probably the only shared cipher suite.
Captured TLS sessions encrypted with ephemeral cipher suites (DHE or ECDHE) are not at risk for subsequent decryption due to this vulnerability.
Workarounds
As a workaround if default cipher suite configuration was used you can configure the server to not use vulnerable suites with the ciphers option like this:
{ciphers, [Suite || Suite <- ssl:cipher_suites(), element(1,Suite) =/= rsa]}
that is your code will look somethingh like this:
ssl:listen(Port, [{ciphers, [Suite || Suite <- ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]).
Affected/Unaffected Versions
A version larger than or equal to one of the listed patched versions is unaffected; otherwise, a version that satisfies an expression listed under affected versions is affected, and if it does not, it is unaffected.
The documentation of the new OTP version scheme describes how versions should be compared. Note that versions used prior to OTP 17.0, when the new OTP version scheme was introduced, are never listed since it is not well defined how to compare those versions.
In the case of this vulnerability, versions prior to OTP 17.0 are likely also affected. <ADD THIS LINE IF, AND ONLY IF, VERSIONS USED PRIOR TO OTP 17.0 MIGHT BE AFFECTED>
Credits
Thanks to Hanno Böck, Juraj Somorovsky and Craig Young for reporting this vulnerability.
Impact
An erlang TLS server configured with cipher suites using rsa key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server’s private key itself. CVE-2017-1000385
Exploiting this vulnerability to perform plaintext recovery of encrypted messages will, in most practical cases, allow an attacker to read the plaintext only after the session has completed. Only TLS sessions established using RSA key exchange are vulnerable to this attack.
Exploiting this vulnerability to conduct a MiTM attack requires the attacker to complete the initial attack, which may require thousands of server requests, during the handshake phase of the targeted session within the window of the configured handshake timeout. This attack may be conducted against any TLS session using RSA signatures, but only if cipher suites using RSA key exchange are also enabled on the server. The limited window of opportunity, limitations in bandwidth, and latency make this attack significantly more difficult to execute.
RSA key exchange is enabled by default although least prioritized if server order is honored. For such a cipher suite to be chosen it must also be supported by the client and probably the only shared cipher suite.
Captured TLS sessions encrypted with ephemeral cipher suites (DHE or ECDHE) are not at risk for subsequent decryption due to this vulnerability.
Workarounds
As a workaround if default cipher suite configuration was used you can configure the server to not use vulnerable suites with the ciphers option like this:
{ciphers, [Suite || Suite <- ssl:cipher_suites(), element(1,Suite) =/= rsa]}
that is your code will look somethingh like this:
ssl:listen(Port, [{ciphers, [Suite || Suite <- ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]).
Affected/Unaffected Versions
A version larger than or equal to one of the listed patched versions is unaffected; otherwise, a version that satisfies an expression listed under affected versions is affected, and if it does not, it is unaffected.
The documentation of the new OTP version scheme describes how versions should be compared. Note that versions used prior to OTP 17.0, when the new OTP version scheme was introduced, are never listed since it is not well defined how to compare those versions.
In the case of this vulnerability, versions prior to OTP 17.0 are likely also affected. <ADD THIS LINE IF, AND ONLY IF, VERSIONS USED PRIOR TO OTP 17.0 MIGHT BE AFFECTED>
Credits
Thanks to Hanno Böck, Juraj Somorovsky and Craig Young for reporting this vulnerability.