{"id":11103,"date":"2018-01-12T16:40:06","date_gmt":"2018-01-13T00:40:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/12\/news-4874\/"},"modified":"2018-01-12T16:40:06","modified_gmt":"2018-01-13T00:40:06","slug":"news-4874","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/01\/12\/news-4874\/","title":{"rendered":"An Analysis of the OpenSSL SSL Handshake Error State Security Bypass (CVE-2017-3737)"},"content":{"rendered":"

Credit to Author: Dehui Yin| Date: Fri, 12 Jan 2018 11:39:59 +0000<\/strong><\/p>\n

\n

OpenSSL is a widely used library for SSL and TLS protocol implementation that secures data using encryption and decryption based on cryptographic functions. However, a Security Bypass<\/em> vulnerability – recently addressed in a patch<\/a> by the OpenSSL Project –can be exploited to make vulnerable SSL clients or remote SSL servers send clean application data without encryption.<\/p>\n

This Security Bypass <\/em>vulnerability (CVE-2017-3737) is caused by an error when the SSL_read or SSL_write function handles an "error state" during an SSL handshake. In this paper the FortiGuard Labs team examines the root cause of this vulnerability.<\/p>\n

The "error state" mechanism was introduced in OpenSSL beginning with version 1.0.2b, It is used to make OpenSSL move into an error state whenever a fatal error occurs during the SSL handshake that would fail if the SSL handshake continued. If SSL_read or SSL_write function is called directly, it checks the SSL handshake state and performs a new SSL handshake automatically if no handshake has been initiated. If a fatal error occurs during the SSL handshake, OpenSSL moves into the error state and returns an error message to the caller. However, the problem occurs if the caller doesn't check the error state and simply calls the SSL_read or SSL_write function again, because it then sends application data without encryption.   <\/p>\n

The following code snippet was taken from OpenSSL 1.0.2m. (Comments added by me have been highlighted.)<\/p>\n

ssl\/s3_pkt.c:<\/em><\/p>\n

638     int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)<\/em><\/p>\n

639     {<\/em><\/p>\n

640         const unsigned char *buf = buf_;<\/em><\/p>\n

641         int tot;<\/em><\/p>\n

642         unsigned int n, nw;<\/em><\/p>\n

643     #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK<\/em><\/p>\n

644         unsigned int max_send_fragment;<\/em><\/p>\n

645     #endif<\/em><\/p>\n

646         SSL3_BUFFER *wb = &(s->s3->wbuf);<\/em><\/p>\n

647         int i;<\/em><\/p>\n

648     <\/em><\/p>\n

649         s->rwstate = SSL_NOTHING;<\/em><\/p>\n

650         OPENSSL_assert(s->s3->wnum <= INT_MAX);<\/em><\/p>\n

651         tot = s->s3->wnum;<\/em><\/p>\n

652         s->s3->wnum = 0;<\/em><\/p>\n

653     <\/em><\/p>\n

654         if (SSL_in_init(s) && !s->in_handshake) { \/\/checks to see if the SSL handshake state is initiated. The state will be SSL_ST_INIT the first time.<\/em><\/p>\n

655             i = s->handshake_func(s);  \/\/performs a new SSL handshake if no handshake has been initiated.<\/em><\/p>\n

656             if (i < 0)<\/em><\/p>\n

657                 return (i);<\/em><\/p>\n

658             if (i == 0) {<\/em><\/p>\n

659                 SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);<\/em><\/p>\n

660                 return -1;<\/em><\/p>\n

661             }<\/em><\/p>\n

662         }<\/em><\/p>\n

ssl3_write_bytes() is called by the SSL_write function to send the application data. It checks the SSL handshake state and performs the SSL handshake if needed.<\/p>\n

ssl\/s3_clnt.c:<\/em><\/p>\n

898     int ssl3_get_server_hello(SSL *s)<\/em><\/p>\n

899     {<\/em><\/p>\n

900         STACK_OF(SSL_CIPHER) *sk;<\/em><\/p>\n

901         const SSL_CIPHER *c;<\/em><\/p>\n

902         CERT *ct = s->cert;<\/em><\/p>\n

903         unsigned char *p, *d;<\/em><\/p>\n

904         int i, al = SSL_AD_INTERNAL_ERROR, ok;<\/em><\/p>\n

….<\/em><\/p>\n

1077        if (i < 0) {<\/em><\/p>\n

1078            \/* we did not say we would use this cipher *\/<\/em><\/p>\n

1079            al = SSL_AD_ILLEGAL_PARAMETER;<\/em><\/p>\n

1080            SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED);<\/em><\/p>\n

1081            goto f_err;  \/\/a fatal error occurs<\/em><\/p>\n

1082        }<\/em><\/p>\n

….<\/em><\/p>\n

1170     f_err:<\/em><\/p>\n

1171        ssl3_send_alert(s, SSL3_AL_FATAL, al); \/\/sends an SSL alert packet<\/em><\/p>\n

1172     err:<\/em><\/p>\n

1173        s->state = SSL_ST_ERR; \/\/moves into an error state<\/em><\/p>\n

1174        return (-1);<\/em><\/p>\n

1175    }<\/em><\/p>\n

We used a vulnerable SSL client as a target during the test. During the SSL handshake it received a malformed server hello message from the SSL server controlled by the attacker. ssl3_get_server_hello() is called to handle this server hello message and a fatal error occurs, causing OpenSSL to move into an error state by setting s->state from SSL_ST_INIT<\/em> to SSL_ST_ERR.<\/p>\n

ssl\/s3_pkt.c:<\/em><\/p>\n

638     int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)<\/em><\/p>\n

639     {<\/em><\/p>\n

640         const unsigned char *buf = buf_;<\/em><\/p>\n

641         int tot;<\/em><\/p>\n

642         unsigned int n, nw;<\/em><\/p>\n

643     #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK<\/em><\/p>\n

644         unsigned int max_send_fragment;<\/em><\/p>\n

645     #endif<\/em><\/p>\n

646         SSL3_BUFFER *wb = &(s->s3->wbuf);<\/em><\/p>\n

647         int i;<\/em><\/p>\n

648     <\/em><\/p>\n

649         s->rwstate = SSL_NOTHING;<\/em><\/p>\n

650         OPENSSL_assert(s->s3->wnum <= INT_MAX);<\/em><\/p>\n

651         tot = s->s3->wnum;<\/em><\/p>\n

652         s->s3->wnum = 0;<\/em><\/p>\n

653     <\/em><\/p>\n

654         if (SSL_in_init(s) && !s->in_handshake) { \/\/ SSL_in_init is called again to check the state<\/em><\/p>\n

If the vulnerable SSL client doesn't check the error state and call SSL_write function to send application data again, ssl3_write_bytes() is called and uses SSL_in_init() to check the handshake state again.<\/p>\n

include\/openssl\/ssl.h:<\/em><\/p>\n

1749    # define SSL_in_init(a)                  (SSL_state(a)&SSL_ST_INIT) \/\/s->state is now SSL_ST_ERR, and check returns are false.<\/em><\/p>\n

This time the check fails, the SSL handshake is bypassed  and the application data will be sent without encryption.<\/p>\n

 <\/p>\n

The following traffic dump shows how the clean application data is sent:<\/p>\n

 \"traffic\"<\/p>\n

 <\/p>\n

During this attack, the attacker entices the vulnerable SSL client to connect to a malicious SSL server. The SSL client may bypass the handshake process and send the application data without encryption. The SSL server may also have the same vulnerability if SSL_read or SSL_write function is called directly.<\/p>\n

NOTE: authentication is NOT required to exploit this vulnerability.<\/p>\n

 <\/p>\n

IPS Signature<\/h3>\n

FortiGuard released IPS signature OpenSSL.Handshake.Error.State.Security.Bypass to address this vulnerability.<\/p>\n

 <\/p>\n

Sign up for our weekly FortiGuard Labs intel briefs<\/a> or to be a part of our open beta<\/a> of Fortinet’s FortiGuard Threat Intelligence Service.<\/i><\/p>\n<\/div
https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Dehui Yin| Date: Fri, 12 Jan 2018 11:39:59 +0000<\/strong><\/p>\n

OpenSSL is a widely used library for SSL and TLS protocol implementation that secures data using encryption and decryption based on cryptographic functions. However, a Security Bypass vulnerability \u2013 recently addressed in a patch by the OpenSSL Project \u2013can be exploited to make vulnerable SSL clients or remote SSL servers send clean application data without encryption. This Security Bypass vulnerability (CVE-2017-3737) is caused by an error when the SSL_read or SSL_write function handles an "error state" during an SSL handshake….<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-11103","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11103"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11103\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}