Last update: Monday, 26 October 2016 14:00:00 +0800
CVE-2016-8610: SSL-Death-Alert
OpenSSL SSL/TLS SSL3_AL_WARNING undefined alert flood remote DoS
Overview
It was found that function "ssl3_read_bytes" in ssl/s3_pkt.c might lead to higher CPU usage due to improper handling of warning packets.
An attacker could repeat the undefined plaintext warning packets of "SSL3_AL_WARNING" during the handshake, which will cause a 100% CPU usage on the server.
It is an implementation problem in OpenSSL that OpenSSL would ignore undefined warning, and continue dealing with the remaining data(if exist).
So the attacker could pack multiple alerts inside a single record and send a large number of these large records.
Then the server will be fallen in a meaningless cycle, and not available to any others.
BTW, Huzaifa Sidhpurwala from the Red Hat Product Security Team was found that the same issue may also affect gnutls servers.
Countermeasures
You can apply software updates from each software vendors. Refer to the URLs below.
Patch link:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401
Problem
A. The attacker could send an excessively large overlapping alert packets (multiple alerts inside a single record) to cause a Denial of Service attack to the server.
Q. What is the impact of the vulnerability?
A. The vulnerability affects most versions of OpenSSL. Any ssl supported server which used OpenSSL may be influenced. Nginx in particularly could be easily made to deny service( e.g: Loopback , 1G NIC ).
Q. What versions of OpenSSL are affected?
A. Affected Versions:
- OpenSSL All 0.9.8
- OpenSSL All 1.0.1
- OpenSSL 1.0.2 through 1.0.2h
- OpenSSL 1.1.0
Not Affected Versions:
- OpenSSL 1.0.2i, 1.0.2j
- OpenSSL 1.1.0a, 1.1.0b
Q. How to prevent the attacks?
A. Upgrade to the latest version.
Q. Do I need to regenerate my private keys or certificates?
A. No. Attackers could not steal your private keys through this vulnerability.
Q. Is this because of an SSL/TLS specification defect?
A. It's not sure.
Q. What protocol versions are affected?
A. All versions (SSL3.0, TLS1.0, TLS1.1, TLS1.2) are affected.
Q. What encryption algorithms are affected?
A. All encryption algorithms are affected. This bug is not related to any specific algorithms.
Q. Can I be aware of this kind of attack when it is happening?
A. It's hard to say.
Q. How did you find this bug?
A. This bug was discovered by Shi Lei of the Gear Team, Information Security Department, Qihoo 360 Inc. while doing code review.
Huzaifa Sidhpurwala from the Red Hat Product Security Team was found the same issue also in gnutls servers.
Q. How did you handle this vulnerability?
A. We reported it to the official after we found this vulnerability, and they tell us they won't treat it as security issue.
Then we discuss with the Red Hat Product Security Team after the official release a fixed version.
References
You can use this logo under the terms of CC0. download logo in SVG format
Acknowledgements
- We were very grateful to Huzaifa Sidhpurwala from the Red Hat Product Security Team for his professional help.
- We were very grateful to the Red Hat Product Security Team and the OpenSSL Team for their help.
- We were very grateful to the Qihoo360 related teams for their help.
- We were very grateful to the CCS Injection team for sharing us their template.
Change History
- First Version: ( Monday, 24 October 2016 15:40:00 +0800)