FREAK ��� Factoring Attack on RSA
Transcription
FREAK ��� Factoring Attack on RSA
Vulnerability Notice FREAK – Factoring Attack on RSA-Export Keys Summary Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. An attacker able to act as a Man-in-The-Middle (MiTM) could factor weak temporary RSA keys, obtain session keys, and decrypt SSL/TLS traffic. Background (From CVE Project) CVE-2015-0204 Published: March 3, 2015 CVSS Severity: 5.0 Impact Servers that accept RSA_EXPORT cipher suites put their users at risk from the FREAK. FREAK – Factoring Attack on RSA-Export Keys / Rev. 03, updated: 30-Mar-15 Owner: Serviceability Effective Date: 20-Mar-15 Page 1 of 6 Products Potentially Affected The following is the vulnerability status of the software products supported by Extreme Networks for this issue: ExtremeXOS (all products) A, B, C, D, G, I, and 800 Series Fixed Switches ExtremeWare IDS/IPS IdentiFI Wireless NAC NetSight Purview Ridgeline Router N, K, SSA, and S Modular Switches Security Information & Event Manager Summit WM3000 Series X-Series Secure Core Router XSR (X-Pedition Security Router) Yes (See Impact Details) No Investigating No Yes (See Impact Details) Yes (See Impact Details) No No Investigating No Investigating Investigating Investigating Investigating Impact Details ExtremeXOS (all products) Vulnerable: Yes Vulnerable Component: OpenSSL TLS Describe conditions when component Vulnerability occurs (why/when/how): Whenever EXOS SSH server with SSL is been invoked by any application like XML, techsupport, etc. Product version(s) affected: EXOS currently uses OpenSSL version 1.0.1j in all the active releases. According to openssl.org, this issue got fixed in openssl-1.0.1k (CVE-2015-0204). The latest openssl1.0.2a or openssl-1.0.1m will also have the fix. Workaround: TBD Target Fix Release: TBD Target Month for Fix Release: TBD A, B, C, D, G, I and 800 Series Fixed Switches Vulnerable: No o Applies only to client-code based on OpenSSL ExtremeWare Vulnerable: TBD FREAK – Factoring Attack on RSA-Export Keys / Rev. 03, updated: 30-Mar-15 Owner: Serviceability Effective Date: 20-Mar-15 Page 2 of 6 IDS/IPS Vulnerable: No o A vulnerable version of OpenSSL is shipped on appliances prior to version 8.3 MR1, but the ciphers used by the web server and JMS are limited to not include any of the susceptible ciphers. IdentiFi Wireless Vulnerable: Yes (C25, C4110, C5110, C5210, V2110 only) o o The IdentiFi wireless line of controllers is vulnerable to CVE-2015-0204 although the risk is very small. The controller has some SSL clients (like curl) that do not contain the patch. Since these clients are only used to communicate with known file and management servers the risk of a hack is low. The IdentiFi wireless line of controllers include a web server that can accept requests for exportgrade cipher suites. Customers can disable the use of export grade encryption by disabling the "Enable Weak Ciphers" option (on the "Secure Connections" page of the controller module of the wireless controller GUI). Vulnerable Component: cURL web client Describe conditions when component vulnerability occurs (why/when/how): The cURL client is used to transfer some files to external web sites. The administrator must configure the controller to push files to the external web site and must explicitly configure the web site address. Consequently the risk of MITM is low. Product version(s) affected: All minor releases of release 9.0 Workaround: One option is to temporarily disable Location Batch Reporting on the controller. Alternatively, ensure that the server location (where reports are being pushed to) has disabled exportgrade cipher suites. Target Fix Release: 9.21 Target Month for Fix Release: July 2015 Vulnerable: No (AP2600, AP3600, AP3700 & AP3800 series only) o The IdentiFi wireless line of APs (AP2600 series, AP3600 series, AP3700 series, and AP3800 series) are not vulnerable to CVE-2015-0204. None of the currently supported models of AP run web servers so they do not contribute to the vulnerability by permitting the use of exportgrade ciphers. NAC Vulnerable: Yes (Only RADIUS) o o Freak is the name for OpenSSL (CVE-2015-0204) and Skip-TLS (CVE-2014-6593) for Java https://www.nccgroup.com/en/blog/2015/03/smack-skip-tls-and-freak-ssltls-vulnerabilities/ Both versions we ship are vulnerable. OpenSSL is used for NAC's TLS processing for RADIUS, so that is an issue. Java is used for the web server SSL socket and JMS SSL socket, but we lock down the ciphers to only allow: For the NAC web server (HTTPS): SSL_RSA_WITH_RC4_128_MD5 FREAK – Factoring Attack on RSA-Export Keys / Rev. 03, updated: 30-Mar-15 Owner: Serviceability Effective Date: 20-Mar-15 Page 3 of 6 For JMS: SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA Vulnerable Component: NAC RADIUS Engine Describe conditions when component Vulnerability occurs (why/when/how): RADIUS: EAP-TLS, PEAP, EAP-TTLS uses the default cipher list for the OS and has the OpenSSL vulnerability. Product version(s) affected: NAC 4.x, 5.x, 6.x both 32bit and 64bit appliances Workaround: N/A Target Fix Release: OpenSSL and Java will be updated for 6.3 Target Month for Fix Release: 6.3 Early Access is slated for end of July NetSight Vulnerable: No o o Freak is the name for OpenSSL (CVE-2015-0204) and Skip-TLS (CVE-2014-6593) for Java https://www.nccgroup.com/en/blog/2015/03/smack-skip-tls-and-freak-ssltls-vulnerabilities/ Both versions we ship are vulnerable. OpenSSL is not used on Purview for the web server so that is not an issue. Java is used for the web server SSL socket and JMS SSL socket, but we lock down the ciphers to only allow: For the NetSight web server (HTTPS): SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA For JMS: TLS_RSA_WITH_AES_128_CBC_SHA Purview Vulnerable: No o o Freak is the name for OpenSSL (CVE-2015-0204) and Skip-TLS (CVE-2014-6593) for Java https://www.nccgroup.com/en/blog/2015/03/smack-skip-tls-and-freak-ssltls-vulnerabilities/ Both versions we ship are vulnerable. OpenSSL is not used on Purview for the web server so that is not an issue. Java is used for the web server SSL socket and JMS SSL socket, but we lock down the ciphers to only allow: For the Purview web server (HTTPS) we limit the ciphers to: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA FREAK – Factoring Attack on RSA-Export Keys / Rev. 03, updated: 30-Mar-15 Owner: Serviceability Effective Date: 20-Mar-15 Page 4 of 6 For JMS its: TLS_RSA_WITH_AES_128_CBC_SHA Ridgeline Vulnerable: TBD Router N, K, SSA, and S Modular Switches Vulnerable: No o Does not use SSL Security Information & Event Manager Vulnerable: TBD Summit WM3000 Series Vulnerable: TBD X-Series Secure Core Router Vulnerable: TBD XSR (X-Pedition Security Router) Vulnerable: TBD FREAK – Factoring Attack on RSA-Export Keys / Rev. 03, updated: 30-Mar-15 Owner: Serviceability Effective Date: 20-Mar-15 Page 5 of 6 Repair Recommendations The resolution to any threat or issue is dependent upon a number of things, including the setup of the computer network and how the local IT team wants to address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the situation in a manner that it determines will best address the set-up of its computer network. Update the software, identified in this Notice, in your Extreme Networks products by replacing it with the latest releases from Extreme Networks including those listed above. Firmware and software can be downloaded from www.extremenetworks.com/support. Additional Information https://freakattack.com/ Legal Notice This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks. Revision History Rev. No. Date Modified Description / Milestone 1.0 20-Mar-15 First release 2.0 23-Mar-15 Update NAC, NetSight, Purview, Router N, K, SSA 3.0 23-Mar-15 EXOS 4.0 29-Mar-15 Update NAC Target Fix Release and Target Month FREAK – Factoring Attack on RSA-Export Keys / Rev. 03, updated: 30-Mar-15 Owner: Serviceability Effective Date: 20-Mar-15 Page 6 of 6