Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/26/2015
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

SSL/TLS Suffers 'Bar Mitzvah Attack'

Researcher at Black Hat Asia shows how attackers could abuse a known-weak crypto algorithm to steal credentials and other data from encrypted communications.

SSL/TLS encryption once again is being haunted by an outdated and weak feature long past its prime:  a newly discovered attack exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS that's still supported in many browsers and servers.

Itsik Mantin, director of security research with Imperva, at Black Hat Asia in Singapore today will detail how an attacker could sniff credentials and other information during an SSL session in an attack he named the "Bar Mitzvah Attack" after 13-year-old weaknesses in the algorithm it abuses. The attack is a glaring reminder that the RC4 algorithm, long known to be breakable, should be put to rest once and for all, according to Mantin.

Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

Using a sniffer, the attacker can passively spy on the SSL sessions of a targeted organization, for instance, or an application. He then can ferret out the keys being used in the encrypted session of a user logging on to his Facebook account, or a ecommerce transaction. The attacker sees "parts of the encrypted message" that can be used to wage an attack, Mantin says. "He can recover part of the random key stored in plain text … and recover parts of the plain text" prior to its being encrypted, he says. "When a weak key is used, part of the plain text can be recovered from the cipher text."

It's basically an algorithm problem, according to Mantin, who notes that most browsers still include support for RC4 and more than half of servers support it. He says some 30% of TLS sessions still use RC4, which for more than a decade has been superseded by the stronger AES algorithm.

Client machines and servers running SSL/TLS negotiate which algorithm to use for encrypted sessions, he explains. "Today, many still have RC4 in this negotiation process," he says. RC4 in some cases gets selected for performance reasons, he says.

The result: if RC4 is an option and gets selected, an attacker can potentially wage the Bar Mitzvah Attack.

But don't panic: Mantin says it's not an imminent threat per se, and fixing it merely requires removing the RC4 algorithm from the mix.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

This isn't the first attack demonstrating RC4's woes:  in 2013, researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt, showed how RC4 is basically broken.  "RC4 has been known to be weak for quite many years," says Mantin, who notes that the main difference with his attack and previous RC4 research is that his focuses on the use of the class of weak keys used by RC4.

He says while there's been a gradual trend to phase out RC4 altogether, the process has dragged on.

RC4's troubles have long been in the spotlight, he says, which is frustrating. "This is very odd to me. These things were known in the crypto community for more than a decade, old vulnerabilities in RC4 and in some sense, (they) were ignored by the security industry," Mantin says. 

Outdated Features Add Risk

The Bar Mitzvah Attack is yet another in a series of vulnerabilities in SSL/TLS encryption exposed over the past year due to old, outdated options in the encryption implementation. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, for example, allowed an attacker to downgrade to the older, less secure SSL Version 3 encryption standard.

More recently, some SSL/TLS client and server implementations were found vulnerable to being forced to employ the weak, old-school 512-bit encryption option long abandoned as easily cracked. Some one-fourth of SSL-encrypted websites were found to be potentially vulnerable to the so-called Factoring RSA Export Keys (FREAK) attack, including FBI.gov and Whitehouse.gov. Microsoft Windows also was found vulnerable to FREAK, and since has been patched for the flaw.

Meanwhile, the Internet Engineering Task (IETF) is well aware of the problem of too many options in the crypto standards, so the new version of TLS currently under development, TLS 1.3, trims the fat in the specification, eliminating older encryption algorithms and other outdated features.

Mantin has now published a white paper with technical details of the attack, available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Ninja
3/30/2015 | 9:58:24 AM
RC4
It is easy to not use it.

You simply remove it as an option from your list of availeable cyphers.

The troubling part is that to exploit alot of these weakneses in the past you would have been a nation state player or had access to MITM data points.  Now you just need access to the data stream and some gear to do some computing.  So as the playing field levels down to the criminals ability to have nation state capabilities we finally decide we have to fix the problem so we don't get robbed and lose some real money.

 

Sadly we did not care if we were spied on, now we care that we can be robbed.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/27/2015 | 2:04:44 PM
Re: Legacy Uses?
What's most interesting here is how these outdated -- and weak -- options continue to be included in SSL/TLS implementations. There may be a legacy or backwards-compatibility reason, but the bottom line is that it leaves users and companies vulnerable. The good news is the next version of TLS aims to be a leaner, meaner spec that doesn't carry this type of baggage. Of course, in the meantime, older versions remain vulnerable. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/27/2015 | 1:52:34 PM
Legacy Uses?
What still uses RC4 (business case)? If its no longer needed I don't see why an update shouldn't be sought out to remove it?
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.