Vulnerability Note VU#144389

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability Note VU#144389

Khandelwal, Kushal

Hello Mozilla Team

We are using Mozilla NSS in our product for TLS 1.2 implementation. Recently our clients have enquired about vulnerability VU#144389 with following description:

Summary : TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding

Link to vulnerability details:
https://www.kb.cert.org/vuls/id/144389


Is Mozilla code affected with this vulnerability?

Thanks
Kushal

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability Note VU#144389

J.C. Jones
Hi Kushal,

This side-channel, the Robot attack (https://robotattack.org/), wasn't
found to affect NSS.

Cheers,
J.C.

On Wed, Jan 17, 2018 at 5:36 AM, Khandelwal, Kushal <
[hidden email]> wrote:

>
> Hello Mozilla Team
>
> We are using Mozilla NSS in our product for TLS 1.2 implementation.
> Recently our clients have enquired about vulnerability VU#144389 with
> following description:
>
> Summary : TLS implementations may disclose side channel information via
> discrepencies between valid and invalid PKCS#1 padding
>
> Link to vulnerability details:
> https://www.kb.cert.org/vuls/id/144389
>
>
> Is Mozilla code affected with this vulnerability?
>
> Thanks
> Kushal
>
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability Note VU#144389

Hanno Böck-4
In reply to this post by Khandelwal, Kushal
Hi,

On Wed, 17 Jan 2018 12:36:42 +0000
"Khandelwal, Kushal" <[hidden email]> wrote:

> Summary : TLS implementations may disclose side channel information
> via discrepencies between valid and invalid PKCS#1 padding
>
> Link to vulnerability details:
> https://www.kb.cert.org/vuls/id/144389
>
> Is Mozilla code affected with this vulnerability?

I'm the discoverer of this attack.

This is not straightforward to answer. ROBOT is a re-discovery of
so-called Bleichenbacher attacks. We only focussed on non-timing
variations of this vuln. NSS is not vulnerable to that.

However Bleichenbacher attacks are also possible with timing - and NSS
is vulnerable and this has been known for a long time, here's the bug
report:
https://bugzilla.mozilla.org/show_bug.cgi?id=577498

This is relatively complicated to exploit over a real network. Also I
should note that there's a related timing issue due to variable sized
bignums that affects practically every TLS implementation out there.

This all boils down to RSA encryption in PKCS #1 v1.5 being incredibly
fragile. Our recommendation when we disclosed ROBOT was to just turn
that off and always rely on forward secrecy-enabled ciphers.

--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security