OpenSSL versions 0.9.6h and prior and 0.9.7 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a repeated block of plaintext in multiple OpenSSL/TLS sessions occur. A crafted block of ciphertext can be repeatedly injected into each session, which will kill that session but may ultimately lead to the disclosure of the repeated plaintext block, resulting in a loss of confidentiality.

When encrypting a message in TLS/SSL using block ciphers in CBC mode, a Message Authentication Code (MAC) of the message is calculated. Then the string containing (message + MAC) is padded so that the length of (message + MAC + padding) is a mutiple of the block cipher input size (8 bytes is the usual value). The concatenated (message + MAC + padding + length) is then cut into blocks of length the input size of the block cipher and encrypted with your chained block cipher.

When the encrypted message is received, it is first decrypted back into (message + MAC + padding + length). The validity of the padding is verified against the length. If the padding is found not to be valid, a padding error is generated. Otherwise the MAC value is then checked. If the MAC is not valid, a MAC error is generated.

In cases where multiple SSL or TLS connections have a fixed plaintext block in common (passwords are a common example), a real-time attacker can inject crafted ciphertext blocks in place of legitimate blocks of plaintext. This will generate an error, but the attacker can clock the time until a response arrives and differentiate between two different types of error conditions, a MAC verification error or a chained block cipher padding error. Knowing the difference between these two errors allows for eventual determination of the plaintext.

OpenSSL versions since 0.9.6c supposedly treat block cipher padding errors like MAC verification errors during record decryption, but MAC verification was still skipped after detection of a padding error, which allowed the timing attack. To fix this information leak, OpenSSL 0.9.6i, 0.9.7a, and later versions perform a MAC computation even if incorrrect block cipher padding has been found, thereby evening out the processing time and minimizing the information leak.

Upgrade to version 0.9.6i or 0.9.7a or higher, as they has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): apply the vendor-supplied patch for versions 0.9.6e and later. Versions older than 0.9.6e must upgrade.

• ISS X-Force ID: 11369
• CVE ID: 2003-0078 (see also: NVD)
• Bugtraq ID: 6884
• Secunia Advisory ID: 8101
• Keyword: Canvel Hiltgen Omen Vuagnoux
• Vendor Specific Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:02.openssl.asc ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570
  http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO58123&os=NT&returninput=0
  http://www.debian.org/security/2003/dsa-253
  http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:020
  http://www.openssl.org/news/secadv_20030219.txt
  http://www.suse.de/de/security/2003_011_openssl.html
  http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=dsxk*BWh&p_lva=&p_faqid=934
• Generic Informational URL: http://lasecwww.epfl.ch/memo_ssl.shtml
  http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Vau02a
• Generic Exploit URL: http://omen.vuagnoux.com/
• Vendor Specific News/Changelog Entry: http://www116.nortel.com/docs/bvdoc/alteon/ssl/iSD-SSL_3.1.6.14_README.pdf

• Serge Vaudenay - serge.vaudenayepfl.ch - EPFL