Hanno Böck
2018-09-15 14:07:58 UTC
One of the leftovers of our ROBOT/Bleichenbacher research was that we
discovered some inconsistencies in haskell-tls, however they only
appear in special situations (AES256-CBC modes) and not reliably.
I've been asked by the haskell-tls author to report it to the public
bug tracker, so I believe it's no longer secret.
https://github.com/vincenthz/hs-tls/issues/285
----------------------
Last year we published research that several TLS implementations were
still vulnerable to the classic "Bleichenbacher" attack from 1998 and
named it the ROBOT attack [1].
While analyzing several implementations we also figured out
inconsistencies with haskell-tls, but as we couldn't really make sense
of them we haven't analyzed them in more detail.
We observe that in some situations as a response to faulty RSA
encryption packages a haskell tls server will answer with an internal
server error instead of a bad_record_mac error. The behavior is
inconsistent, so we're not sure this can be turned into a practical
attack. Yet it's still definitely a bug and potentially a vulnerability.
This only happens with ciphers with AES256 and CBC mode. (Which is also
why our detection script and many other detection tools that are based
on it will not see it, as they often will just test with AES128.)
It was originally pointed out to us by Hubert Kario (he's the developer
of tls-fuzzer, which will show errors if you run its bleichenbacher
check [2] against a haskell tls server). Another tool that's capable of
detecting the error is TLS-Attacker, which is by one of ROBOT's
co-authors [3].
A test run would be something like this:
java -jar Attacks.jar -loglevel DEBUG bleichenbacher -connect [host]
-cipher TLS_RSA_WITH_AES_256_CBC_SHA
[1] https://robotattack.org/
[2]
https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-bleichenbacher-workaround.py
[3] https://github.com/RUB-NDS/TLS-Attacker
discovered some inconsistencies in haskell-tls, however they only
appear in special situations (AES256-CBC modes) and not reliably.
I've been asked by the haskell-tls author to report it to the public
bug tracker, so I believe it's no longer secret.
https://github.com/vincenthz/hs-tls/issues/285
----------------------
Last year we published research that several TLS implementations were
still vulnerable to the classic "Bleichenbacher" attack from 1998 and
named it the ROBOT attack [1].
While analyzing several implementations we also figured out
inconsistencies with haskell-tls, but as we couldn't really make sense
of them we haven't analyzed them in more detail.
We observe that in some situations as a response to faulty RSA
encryption packages a haskell tls server will answer with an internal
server error instead of a bad_record_mac error. The behavior is
inconsistent, so we're not sure this can be turned into a practical
attack. Yet it's still definitely a bug and potentially a vulnerability.
This only happens with ciphers with AES256 and CBC mode. (Which is also
why our detection script and many other detection tools that are based
on it will not see it, as they often will just test with AES128.)
It was originally pointed out to us by Hubert Kario (he's the developer
of tls-fuzzer, which will show errors if you run its bleichenbacher
check [2] against a haskell tls server). Another tool that's capable of
detecting the error is TLS-Attacker, which is by one of ROBOT's
co-authors [3].
A test run would be something like this:
java -jar Attacks.jar -loglevel DEBUG bleichenbacher -connect [host]
-cipher TLS_RSA_WITH_AES_256_CBC_SHA
[1] https://robotattack.org/
[2]
https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-bleichenbacher-workaround.py
[3] https://github.com/RUB-NDS/TLS-Attacker
--
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42