Rule #2 of Zombie Protocol Land: The Double Tap
This is a repost from my previous blog written on MARCH 5, 2015
As a young security professional, I've always been aware of SSL's status as a legacy protocol. TLS was proposed as a replacement before I entered High School. For me, it was little surprise that in mid-2014 a Padding Oracle On Downgraded Legacy Encryption vulnerability surfaced. Better known as POODLE, this vulnerability dealt a death blow to SSL, and it wasn't long before TLS felt its sting. The removal of SSL from environments has been reluctantly accepted by most systems administrators. TLS on the other hand survived, now in the light and scrutiny of nervous security professionals. Businesses needed to know if TLS was strong enough to meet compliance needs and lower risk. Systems administrators wanted to know, how hard a replacement is to implement.
Risk
Industry-standard security models used in enterprise environments are often modeled after an onion. This onion is comprised of layers of security technologies working together to protect the whole. TLS provides identity validation and transport protection for data as it moves through the internet. This limits the risk created by POODLE to man-in-the-middle attacks or eavesdropping.
A successful attack using the POODLE vulnerability allows an attacker to bypass encryption provided by TLS. Sensitive data captured by an attacker can be read in plain text and even altered without alerting the victims. This attack can be performed on any captured or replayed data collected by an attacker. Local network attacks are a more common environment for this vulnerability.
You can't patch a protocol, but you can update it
SSL and TLS are IETF protocols that provide a framework for developing compatible applications to provide transport layer security. When developers write software these protocols dictate input and output a different platform will provide or require.
In their RFCs, definition documentation, SSL, and TLS, cipher suites are defined. A cipher suite is a mathematical model used by the protocol to convert data between encrypted and plain text. The major component for defining encryption in a cipher suite is the encryption mode. SSL and TLS each provide similar definitions for Cipher Block Chaining encryption modes. POODLE specifically exploits functionality implemented improperly in the SSL definition of this encryption mode. In TLS CBC is expanded with controls to prevent exploitation of this functionality.
So what is a padding oracle attack anyway
CBC encryption as defined by SSL (RFC 6101) encrypts data by separating a message into blocks of equal size and performing chained encryption not covered by the MAC. The length value of the padding is added to the end of the plain text as padding. To encrypt a plain text message CBC uses the plain text value from the end of the previous block to encrypt the block with a xor operation.
The initialization vector is the backbone of the cipher an attacker only requires finding it to remove encryption from a whole message is guess the xor result from the block before. This can then be used to create a padding oracle that can then remove encryption from all following blocks.
TLS makes this a little harder by separating the padding at the end of the message and placing it at the end of each block. Defined in RFC 5246 the amount of padding added to the block is a multiple of the plain text message's length. This makes it harder to know which piece of the block is used as the initialization vector for the next block.
If TLS is not vulnerable then why was it affected?
Aside from expanded CBC protections TLS also has added functionality to allow it to function alongside older SSL protocols. When TLS was released older browsers didn't have support for it. This required TLS software to perform SSL functionality as needed for backward comparability. In fact, only very recently have browsers had support enabled by default.
To aid in the migration to the TLS protocol the majority of TLS definitions were copied from SSL and expanded on. However, some changes made were enough that the protocol was no longer compatible with SSL. The attack On Downgraded Legacy Encryption comes from this final addition to the first version of TLS for compatibility. TLS version one states that if the browser doesn't specify the use of TLS SSL is used. This allows servers to run both TLS and SSL services on the same port without conflicts or stability issues.
POODLE is an attack on outdated SSL ciphers leveraging functionality in TLS designed to ease the transition to the new protocol. When SSL is removed from an environment TLS is now forced to use the TLS defined cipher suites.
While SSL has other issues in it the CBC issues could be remediated with the removal of CBC ciphers. This would force SSL to use RC4 stream cipher suites. Unfortunately, TLS doesn't handle RC4 stream ciphers properly leaving any server disabling the CBC ciphers, in SSL, vulnerable to a similar attack on TLS.
The double-tap
In October of 2014, SSL lay dead, most businesses finished removing SSL from vulnerable web servers. Brian Smith stumbled upon the corpse of SSL hiding in TLS. It is said the first rule of cryptography is don't write your own, and the second rule of course is don't write your own. However, this does not apply to the authors of cryptography software as they have to write the functionality. Unfortunately, TLS was ported from SSL and some of the functionality that was found to be weak was not properly expanded on when ported.
Many manufacturers of TLS software were quick to add in missing functionality. Windows libraries were found to be not vulnerable as binaries were either outdated or built correctly by Microsoft. This finding mainly affected Linux servers and many security vendors released custom patches while waiting on the distribution updates.
How to avoid this in the future
POODLE provided an example of the danger outdated protocols and legacy software poses to an environment. TLS had been available to use for 15 years before it finally replaced SSL. Reluctance to remove support for outdated software was a major factor in its length of service. The lesson that should be learned is the importance of staying updated and current with software and protocols. It should also be pointed out that SSL should have been depreciated much earlier.
Poor porting of TLS from SSL exposed problems with porting and performing all the changes requested by the new spec. If it fits it ships is a common phrase in development, however, in this case, the product fit the mold it was just not the right size.
Simply stated update early, often, and code review, code review, code review.