In cryptography, a padding oracle attack involves exploiting a vulnerability in the design or implementation of encryption protocols which allows an attacker to decrypt the data without the proper key. One such vulnerability is found in OpenSSL versions before .9.8s and 1..f – specifically in their implementation of Datagram Transport Layer Security (DTLS).
This post will dive into the details of this vulnerability, CVE-2011-4108, and explain how attackers might exploit it. We'll look at code snippets, discuss the original references, and give an overview of the exploit process.
Vulnerability Details
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols for securing communications over a network. Datagram Transport Layer Security (DTLS) is a variation of TLS that works with connectionless datagram protocols like the User Datagram Protocol (UDP).
The vulnerability in OpenSSL, as described in CVE-2011-4108, is within the DTLS implementation. The issue is that OpenSSL performs a Message Authentication Code (MAC) check only if specific padding is valid, thereby making it easier for remote attackers to recover plaintext data via a padding oracle attack. Essentially, the attacker can decrypt and modify encrypted data without the proper key, compromising its confidentiality and integrity.
Code Snippet
The problematic code is found in the 'ssl3_get_record()' function in the OpenSSL source file 'ssl\s3_pkt.c'. Here's the relevant part of the function:
...
if (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
rr->rlen = s->method->ssl3_enc->mac(s,&(tmp[rec_len+SHA_DIGEST_LENGTH]),);
else if (s->read_hash)
{
/* Check if we have a padding length */
pad = tmp[rec_len];
...
The code above checks for a valid padding length only if the record is of type 'SSL3_RT_HANDSHAKE' or 'SSL3_RT_CHANGE_CIPHER_SPEC'. This condition allows specific padding to be bypassed, enabling remote attackers to carry out the padding oracle attack.
Original References
This vulnerability was initially reported by Nadhem AlFardan and Kenny Paterson from the Information Security Group at Royal Holloway, University of London. Their original paper, titled "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols," provides a comprehensive look at the attack and can be found in this link: https://www.isg.rhul.ac.uk/tls/TLStiming.pdf
Exploit Details
A padding oracle attack is considered a "chosen ciphertext" attack: the attacker chooses the encrypted data they will attempt to decrypt. The attacker sends altered versions of this encrypted data to the target, who then decrypts it using their secret key.
The target decrypts the packet using their secret key and checks the padding.
4. The target's response to the altered packet provides information about the padding, which the attacker can use to decrypt the original packet.
By repeatedly sending altered packets and observing the target's responses, the attacker can eventually recover the original plaintext data. This attack can be carried out without the attacker having to know the secret key used for encryption.
Conclusion
CVE-2011-4108 highlights the importance of thoroughly examining implementations of cryptography protocols. Companies and developers who used OpenSSL versions before .9.8s and 1..f should update their installations to the latest and most secure versions.
While the padding oracle attack requires a sophisticated attacker and does not guarantee complete decryption, it is still a critical vulnerability that should be taken seriously. As the world becomes increasingly connected, it's worth remembering that vulnerabilities like these in widely-used software can have significant implications for the security and privacy of data.
Timeline
Published on: 01/06/2012 01:55:00 UTC
Last modified on: 02/17/2020 16:03:43 UTC