Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 84597 - OpenSSL CBC timing attack
Summary: OpenSSL CBC timing attack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: openssl
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-19 13:25 UTC by Mark J. Cox
Modified: 2007-11-30 22:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-15 11:26:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:063 normal SHIPPED_LIVE Moderate: openssl security update 2003-02-19 05:00:00 UTC

Description Mark J. Cox 2003-02-19 13:25:42 UTC
In an upcoming paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and
Martin Vuagnoux describe and demonstrate a timing-based attack on CBC
ciphersuites in SSL and TLS. An active attacker may be able to use timing
observations to distinguish between two different error cases: cipher
padding errors and MAC verification errors. Over multiple connections this
can leak sufficient information to make it possible to retrieve the
plaintext of a common, fixed block.

In order for an attack to be sucessful, an attacker must be able to act as
a man-in-the-middle to intercept and modify multiple connections, which all
involve a common fixed plaintext block (such as a password), and have good
network conditions that allow small changes in timing to be reliably observed.

A patch is available from the OpenSSL project

Comment 1 Rich Graves 2003-02-20 03:51:26 UTC
I know you're going to want to backport the fix, but please please please
consider biting the bullet and figuring out how to just get to 0.9.6i. There
have been ***lots*** of not-as-security-critical bugs fixed between b and i. The
one biting me today is that the very cool http://www.washington.edu/pubcookie/
simply will not work on any RedHat system.

Comment 2 Greg Pyhl 2003-03-05 11:48:00 UTC
Could someone please provide some status update here? Other distributors have
released their updated openssl packages weeks ago. Is RHL vulnerable and if so,
when is the patch coming? Thanks.

Comment 3 Mark J. Cox 2003-03-05 11:56:47 UTC
We wanted to make sure that a fix for the critical sendmail vulnerability
would be available on Monday so we adjusted the priority of the OpenSSL errata
accordingly.  We are working on updated OpenSSL packages and will make them
available shortly.

Comment 4 Mark J. Cox 2003-03-06 15:15:28 UTC
Updated OpenSSL packages for Red Hat Linux are now available
http://rhn.redhat.com/errata/RHSA-2003-062.html

Leaving this bug open until packages for Red Hat Linux Advanced Server are also
pushed.

Comment 5 Mark J. Cox 2003-04-15 11:26:42 UTC
Was actually fixed some time ago, see latest OpenSSL advisory
http://rhn.redhat.com/errata/RHSA-2003-102.html


Note You need to log in before you can comment on or make changes to this bug.