Newly Published Raccoon Attack Could Be Used To Do Man-In-The-Middle Attacks on TLS Connections Against Rare Servers
A really scary Diffie-Hellman key exchange (DHKE) attack dubbed "Raccoon" could be used to perform a man in the middle attack and eavesdrop on TLS connections on web servers nobody bothered to update in over a decade. One in 100000 Internet-facing servers are vulnerable. The OpenSSL team has rated the vulnerability as "low" severity.
A long 18 pages long and very detailed research paper titled "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)" (RacoonAttack.pdf) published yesterday describes a method of computing the pre-master secret in TLS connections using the Diffie-Hellman (DH) ciphersuite for key exchange if, and only if, the DH secret is re-used between connections. This gaping security hole is assigned CVE number CVE-2020-1968
Anything using the OpenSSL library, which is used by virtually all free software making TLS connections, including web servers like the one serving this website, is totally vulnerable to this key exchange exploit if OpenSSL versions up to and including OpenSSL 1.0.2u are used and the application employs the really weak and wildly outdated static Diffie-Hellman ciphers.
"To estimate the impact of the vulnerability on currently de-ployed servers, we conducted a scan among the Alexa Top-100k on port 443. We evaluated how common static-DHcipher suites are by trying to negotiate them.
Only a single server advertised support for static-DH cipher suites."
Servers using OpenSSL versions prior to 1.0.2f are also vulnerable.
OpenSSL 1.1.x will never reuse DH secrets regardless of what cipher is used. OpenSSL 1.0.2f and newer will re-use DH secrets if, and only if, a static DH ciphersuite is used (these are the ones starting with
TLS_DH_*). OpenSSL version 1.0.2e and below would reuse the Diffie-Hellman secret accross multiple TLS connections unless the
SSL_OP_SINGLE_DH_USE option was set. That option become default when OpenSSL 1.0.2f was released back in January 2016 due to CVE-2016-0701. 1.0.2u was the latest 1.0.2 release before the 1.0.x branch was discontinued. Thus, the servers vulnerable to this are:
- Servers using OpenSSL 1.0.2 and static Diffie-Hellman ciphers (those starting with
TLS_DH_, but not
- Servers using OpenSSL versions from before January 2016.
Most of the world moved on to using the Elliptic-curve Diffie–Hellman Ephemeral (ECDHE) key exchange protocol years ago so vulnerabilities in Diffie-Hellman (DH) ciphersuites in general are kind of a non-issue. If you run something like this against any server using HTTPS:
openssl s_client -showcerts -connect linuxreviews.org:443
then you will probably find that
ECDHE-RSA-AES256-GCM-SHA384 or another
ECDHE cipher is used. As a point of reference, Mozilla provides an excellent tool called "Mozilla SSL configuration Generator" for creating SSL/TLS configurations for a variety of web servers. Static DH ciphers are not even proposed if you select the "old" compatibility profile and older versions of OpenSSL and Apache.
Nothing has used
TLS_DHE_* ciphers for ages so the Raccoon attack is nothing to worry about unless you are using a 10 year old web server and/or a OpenSSL library released prior to 2016.
If you take security very seriously and you are using HTTPS to provide high-value services to clients and you haven't updated your server the last decade then.. perhaps it's time to check if software using the OpenSSL library is vulnerable to man-in-the-middle eavesdropping attacks using the Raccoon attack.