Return of Bleichenbacher's Oracle Threat (ROBOT)

Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities

Juraj Somorovsky TLS History Secure Sockets Layer (SSL), SSLv2 Wagner, Schneier: Analysis of 1995 SSLv3 SSLv3 Bleichenbacher’s attack Transport Layer Security Padding oracle 2000 attack Padding oracle attack

2005

TLS 1.1

TLS 1.2 2010 BEAST, CRIME, BREACH, Lucky 13

TLS 1.3 2015

2 2 Provably secure crypto Constant-time implementations

Man-in-the- Middle attacks Padding oracle attacks

3 Padding oracle attacks

4 About this talk

• Return Of Bleichenbacher’s Oracle Threat (ROBOT). Hanno Böck, Juraj Somorovsky, Craig Young. USENIX Security 2018

• Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. Robert Merget, Juraj Somorovsky, Nimrod Aviram, Craig Young, Janis Fliegenschmidt, Jörg Schwenk, Yuval Shavitt. USENIX Security 2019 Overview – ROBOT

1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn

6 TLS Protocol (High Level Overview)

1. TLS Handshake • Selection of algorithm, version, extensions • Key exchange: RSA, (EC)DH, (EC)DHE 2. Encrypted and authenticated data transport

7 TLS RSA Handshake

ClientHello ServerHello Certificate ServerHelloDone ClientKeyExchange ChangeCipherSpec RSA encrypted premaster (Client-) Finished secret ChangeCipherSpec (Server-) Finished

8 RSA PKCS#1 v1.5

• Used to pad and encrypt the premaster secret: • To pad it to the RSA key length • To add randomization • Example for TLS 1.2:

00 02 [non-zero padding] 00 03 03 [secret]

Encryption 0x00 TLS 1.2 version block type Delimiter (Yes, very intuitive)

9 Bleichenbacher’s Attack

• 1998: Adaptive chosen-ciphertext attack • Exploits strict RSA PKCS#1 v1.5 padding validation

Ciphertext C

C1 valid/invalid

C2 valid/invalid Starts with 00 02 ?

… M = Dec(C)

10 Bleichenbacher’s Attack

• The attack needs some math (not going into details here) • “Million message attack” (but could also be faster) Questions:

11 Creating Bleichenbacher’s Oracle

ClientHello Server ServerHello

Certificate Modified ServerHelloDone ciphertext ClientKeyExchange’ ChangeCipherSpec (Client-) Finished:

Decrypt Bad Record Error / MAC Alert

12 TLS Countermeasure

ClientHello ServerHello

Certificate ServerHelloDone If the attacker can ClientKeyExchange’ distinguish valid / ChangeCipherSpec (Client-) Finished: invalid PKCS#1 messages, he wins Alert

13 Overview – ROBOT

1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn

14 Hanno Found a Weird Behavior of Facebook

ClientHello Server ServerHello

Certificate ServerHelloDone

ClientKeyExchange’ ChangeCipherSpec (Client-) Finished:

Illegal Bad Record Parameter / MAC Alert

15 Can We Exploit It?

• Idea: It would be funny to sign a message with Facebook’s private key • Yes, signing is possible as well • Millions of queries needed…would Facebook block us? • Successful after several tries:

“We hacked Facebook with a Bleichenbacher Oracle (JS/HB).”

• Facebook fixed

16 Facebook: New Attempt

ClientHello Server ServerHello

Certificate ServerHelloDone

ClientKeyExchange’ ChangeCipherSpec (Client-) Finished: /

17 Facebook Fixed Again

• This is interesting. So how about other servers?

18 Overview – ROBOT

1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn

19 Let’s Start Scanning

• Careful selection of ClientKeyExchange messages: • Wrong TLS version • Wrong padding length 00 02 [non-zero padding] 00 03 03 [secret] • Not starting with 0x00 02 • Full / Shortened TLS handshakes:

ClientHello ClientHello ServerHello ServerHello Certificate Certificate ServerHelloDone ServerHelloDone ClientKeyExchange’ ClientKeyExchange’ ChangeCipherSpec ChangeCipherSpec (Client-) Finished: (Client-) Finished:

20 Alexa Top 1 Million Scan

• 2,8 % vulnerable • PayPal, Apple, ebay, Cisco, … • Different behaviors…different combinations:

TCP connection resets Timeouts

Illegal Bad Record Handshake Internal Different alerts Parameter / MAC Alert / Failure / Error /..

Duplicate alerts Alert / Alert Alert

21 Overview – ROBOT

1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn

22 Who Is Responsible for These Mistakes?

• Reporting is not always that easy … Your server is vulnerable to Bleichenbacher‘s attack. No worries, we use millitary grade encryption.

23 Don’t Fix for Some Vendors … Cisco ACE

• Supports only TLS RSA • Cisco: We won't fix it, it's out of support for several years

• But there were plenty of webpages still running with these devices Like cisco.com

24 Identified (Most of) Them

25 Test Tools

• No easily usable test tool for Bleichenbacher attacks available • Currently implemented in SSL Labs, testssl.sh, TLS-Attacker, tlsfuzzer

26 Overview – ROBOT

1. Bleichenbacher’s (padding oracle) attack 2. How we started – Attack on Facebook 3. Performing the scans 4. Responsible disclosure 5. What did we learn

27 What Did We Learn?

• 20 year old attacks still work • New side channels • Timeouts • TCP resets • Duplicated alerts

• How about scanning for other vulnerabilities?

28 About this talk

• Return Of Bleichenbacher’s Oracle Threat (ROBOT). Hanno Böck, Juraj Somorovsky, Craig Young. USENIX Security 2018

• Can we effectively scan for CBC oracles at scale? • Can we also identify vulnerabilities and avoid false positives/negatives? • Are these vulnerabilities exploitable? Overview – Padding Oracle Attacks

1. Vaudenay’s (padding oracle) attack 2. Padding oracle attack on TLS 3. Scalable scanning 4. Vulnerability clustering 5. Findings

30 Cipher Block Chaining (CBC) Encryption

m1 m2... m3 ... pad

Block Cipher Block Cipher Block Cipher k Encryption k Encryption k Encryption

IV C1 C2 C3

31 Cipher Block Chaining (CBC) Decryption

IV C1 C2 C3

Block Cipher Block Cipher Block Cipher k Decryption k Decryption k Decryption

m1 m2... m3 ... pad

32 CBC Malleability

IV C1

Block Cipher k CBC decryption Decryption

33 CBC Malleability: Example

Block Cipher k CBC decryption Decryption

34 CBC Malleability: Example

10 10

Block Cipher k CBC decryption Decryption

10 01

35 Why Are We Talking about Padding Oracles?

• CBC has a fixed padding structure

m1 m2... m3 ... pad

• Valid padding values: • 0x01 • 0x02 0x02 • 0x03 0x03 0x03 • ….

36 Vaudenay’s Padding Oracle Attack Scenario

• 2002 • Adaptive chosen-ciphertext attack

CBC Ciphertext C IV C1,...,Cn

C’ IV‘ C1 valid/invalid

C’’ IV‘‘ C1 valid/invalid Correct padding? 0x01 … M = Dec(C) 0x02 0x02 …

37 Vaudenay’s Padding Oracle Attack

IV‘ IV | C1 16

IV’16=0...0xFF

AES dec

Goal x x16

m 01

m'16=0...0xFF

x16 = 0x01 ⊕ IV’16 38 Vaudenay’s Padding Oracle Attack

IV‘ IV‘ IV | C1 15 016

IV’15=0...0xFF

AES dec

Goal x X15` x16

m 02 0102

m'15=0...0xFF

39 Padding Oracles Exploited in Many Scenarios

d Privacy ecurity an sium on S E Sympo 2011 IEE in ASP.NET DesignFlaws of Cryptographic eb: The Case y in the W Cryptograph JulianoRizzo Netifera gentina Aires,Ar Buenos a.com Thai Duong juliano@netifer AOnline Vnsecurity/HV , Vietnam a gold Minh City Web become Ho Chi .net make the together thaidn@vnsecurity errors cryptographic xt attacks. case misused chosen-cipherte the y is mine for by examining based how cryptograph . Our focus this point scusses the Web illustrate web applications paper di part of developed paper, we in in —This a large ork e In this first released Abstract design of framew sites. W implementationsork was As application net web framew work. in the security the web all Inter design of cryptographic The .NET Frame .NET, 25% of .NET [12]. of the Internet is on ASP powers cryptographicdescribe on ASP ersion1.0 of all the osoft that use multiple We with v that25% view by Micr can ab applications. ers to 2002 believed 1 we re attackers web w attack January it is .NET. Here show that ASP.NET that allo tokens 2010, ASP on at the compromise attacks of September eloped using stableversi flaws to efficient for ge authentication are dev current several and highly keysand decryption web sites was the apply to practical secret combine keysfor which also The attacks reuseof v4.0, comments steal cryptographic ormation. and the easons ASP.NET Our ve inf e some r accesssensiti encryptions, , we giv and of submission. .NET. to Finally time of ASP .NET v4.0. oracles,unauthenticatedpurposes. in web technologies, vious versions in ASP encryption misused pre flaws present differ ent y is often es. cryptographic have been thesemistak several out to of why cryptograph to avoid , observe turns steps eb security We flaw (which is a consequence recommend , W serious years) and Security The most almost three two practical y, Application encryption. .NET for We present crypto- -Cryptograph in ASP ers to steal Keywords attack, Unauthenticated encryption. w attack destroy oracle unauthenticated that allo tokensand Decryption ficient attacks ef ge authentication v4.0 application. ION highly keys, for .NET ODUCT secret ASP decryption I. I NTR graphic of every combine know if model that audenay can one the security xt attacks by V ed, “How y?” chosen-cipherte introduced Rizzo ask cryptograph are oracle that 2004 Nguyen is good wn Both to thepadding technique The EuroCrypt software] hassho similar and the CBC-R T ’10 [14]. At [in history oracles ’02 [13] WOO er implemented because both open at USENIX the attack what is question in at EuroCrypt only can isan important used incorrectly vertheless, demonstrated that not can create [1]. This is often Ne and Duong attacksis he also y (see[1]–[7]). limited of these .NET, but by that cryptograph software , there is novelty in ASP and processed proprietary WWW web data decrypted and role of the and decrypt secret being source cryptographic the that after ve information. the important both the for xts retrieve sensiti On the (In)Security of IPsec in MAC-then-Encrypt despite from s question cipherte w him to SectionII, available Nguyen’ .NET, allo ws. In research to answer in web technologies. ASP as follo Configurations communities is organized thecryptographic security implementations y is the paper v4.0and vide40 cryptograph rest of ASP.NET III, we pro of cryptographic in The w of Section the case implemented pervasive ve an overvie work. In and that badly is highly we gi frame attacks shows are,but protocol, in the oracle In This paper softw a stateless vulnerabilities on decryption self-contained. ∗ † to traditional HTTP is state background the paper padding Jean Paul Degabriele Kenneth G. Paterson not limited well. Since user session sufficient to make exploiting as the technique attack our Information Security Group Information Security Group webapplications either manage For performance CBC-R our first we describe must the client. with we describe V, does Royal Holloway, University of London Royal Holloway, University of London developers it to to go IV, ork. In Section attackand web er or push elopers tend Section framew the first the Egham, Surrey, TW20 0EX, UK Egham, Surrey, TW20 0EX, UK on the serv web dev information in the than consider data reasons, session , oracles is faster VI, we to keep However attack,which In Section [email protected] [email protected] and scalability They want y. second oracle. countermeasures method. to cryptograph unau- a padding as well as y is the latter turn e that not require attacks y cryptograph they correctly We observ state of our on wh ABSTRACT widely to build Virtual Private Networks (VPNs) and se- so is error-prone. session impact reflections secret, crypto to encrypt practical Our andour recommendations cure remote access solutions. IPsec offers security at the often used prevent them. IPsec allows a huge amount of flexibility in theways in which implementing is Unauthenticated that webtechnologies IP layer of the TCP/ IP protocol stack, meaning that IPsec encryption view states. usedin in its component cryptographic mechanisms can be combined thenticated cookiesand when oftenmisused VII. provides cryptographic protection for IP packets (or their as HTTP particularly xt in Section tobuild a secure communications service. This may be good datasuch [7]–[11], forge a cipherte can be found payloads). Part of IPsec’s complexity arises from a delib- is dangerous to er to work. for support ing different security requirements but is poten- The ability the attack er ate attem pt by IPsec’s designer s to provide a flex ible and encryption system. xt allows uiltwith.com/frame tially bad for security. We demonstrate the reality of this plainte alsotend 1 http://trends.b highly configurable approach to providing security services an authentication desired developers See by describing efficient , plaint ext-recovering att acks against to a [7]. Web These for IP traffic. that decrypts userseasily purposes. all configurat ions of IPsec in which integrity prot ection is other ferentencryption The RFCsspecifying the major component protocols ESP, impersonate ys for dif applied prior to encryption – so-called MAC-then-encrypt sameke 481 configurations. We report on the implementation of our at- AH, IK E [14, 15, 9] and that describing the IPsec architec- to usethe ture [13] offer only limited guidance to end users about how tacks against a specific IPsec implementation, and reflect on tiEon best to configureIPsec to achievetheir desired security goals. t2 I0n1fo1r ImEaE the implications of our attacks for real-world IPsec deploy- C$2o6p.y0r0i g©h -6o0g1n1iz/1ed1 Moreover, littlesecurity analysisof IPsec seems to have been U10n8r1ec 011.42 ments as well as for theoretical cryptography. 109/SP.2 published. In particular, whilst it is by now well-established DOI 10.1 that using ESP in “ encryption-only” configurations is inse- Categoriesand Subject Descriptors cure in general [1, 18, 5], there appears to have been no C.2.0 [Com put er -Com municat ion N et wor ks]: General— syst ematic security evaluation of the many different ways Security and protection (e.g., firewalls) of combining encryption and integrity prot ection that are allowed by IPsec: General Terms • ESP may provide its own integrity protection, in which Security case it is provided by a MAC algorithm that is applied after ESP’s encryption – an encrypt-then-MAC con- Keywords st ruction. IPsec, ESP, AH, MAC-then-encrypt, Traffic Flow Confiden- • Alternatively, AH can be used to provide the protec- tiality, Fragmentation tion, again using a MAC algorithm, though with the MAC algorithm having a great er scope than in ESP. In 1. INTRODUCTION this case, packets may be first integrity protected by AH and then encrypted using ESP, or first encrypted IPsec is a notoriously complex protocol suite, but one of by ESP and then int egrity protected by AH (where great importance in today’s Internet where it is deployed now the extended scope of AH’s integrity protection means that more fields of the IP header are protected ∗This author’s research is funded by Vodafone Group Ser- vices Limited, a Thomas Holloway Research Studentship, than would be the case with ESP-provided integrity and the Strat egic Educat ional Pat hways Scholarship Scheme protection). (Malta), part-financed by the European Union – European Social Fund. • It is even possible to achieve a MAC-then-encrypt con- †This author’s research supported by an EPSRC Leadership st ruction usi ng two layers of ESP processing. Fellowship, EP/ H005455/ 1. • Further, the current version of ESP allows combined- mode algorithms to be used, wherein encryption and integrity prot ection are rolled into a single processing st ep. Permission to make digital or hard copies of all or part of thiswork for personal or classroom use is granted without fee provided that copies are • In all of the above configurations, AH and/ or ESP may not made or distributed for profit or commercial advantage andthat copies each be applied in ei ther tunnel mode or transport bear this notice and the full citation on the first page. To copyotherwise, to republish, to post on servers or to redistribute to lists, requires prior specific mode. permission and/or a fee. CCS’10, October 4–8, 2010, Chicago, Illinois, USA. • To add a final dimension, both AH and ESP allow Copyright 2010 ACM 978-1-4503-0244-9/10/10 ...$10.00. sequence number checking to be performed as an op- Overview – Padding Oracle Attacks

1. Vaudenay’s (padding oracle) attack 2. Padding oracle attack on TLS 3. Scalable scanning 4. Vulnerability clustering 5. Findings

41 CBC in TLS

• Protects TLS records after a successful handshake • Available since SSLv2 • Used in many cipher suites: • TLS_RSA_WITH_AES_256_CBC_SHA • TLS_RSA_WITH_3DES_EDE_CBC_SHA • … AES-CBC in TLS

• MAC-Pad-Encrypt • Example: • Two blocks pad • Message: Hello mac • MAC size: 20 bytes (SHA-1) • Padding size: 32 – 5 – 20 = 7

H e l l o 06 06 06 06 06 06 06 Preventing Padding Oracles

Ciphertext

DecryptionValid / Invalid failed

Server

Challenge: not to reveal padding validity Same error message

44 pad Triggering a Typical Padding Oracle mac

H e l l o 06 0605 06 06 06 06 06

H e l l o 06 06 06 06 06 06 06

BAD_RECORD_MAC / DECRYPT_ERROR

45 pad Botan (CVE-2015-7824) mac

• Bad padding: BAD_RECORD_MAC

H e l l o 06 0605 06 06 06 06 06

• Bad MAC: BAD_RECORD_MAC H e l l o 06 06 06 06 06 06 06

• Special case: DECODING_ERROR

0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c

Not enough bytes for an HMAC (19) 46 pad OpenSSL (CVE-2016-2107) mac

• Bad MAC / padding: BAD_RECORD_MAC

H e l l o 06 0605 06 06 06 06 06 • Bad MAC: RECORD_OVERFLOW

H1F 1Fe 1Fl 1Fl 1Fo 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F • Introduced after patching Lucky13 • Only available in AES-NI supported cipher suites: • TLS_RSA_WITH_AES_*_CBC_SHA • TLS_RSA_WITH_AES_*_CBC_SHA256

47 pad POODLE mac

• Bad MAC / last padding byte: BAD_RECORD_MAC

H e l l o 06 06 06 06 06 06 0605

• Arbitrary padding bytes: no error

H e l l o 06 06 06 06 06 06 06

Everything ok. SSLv3 uses a different padding scheme.

48 Overview – Padding Oracle Attacks

1. Vaudenay’s (padding oracle) attack 2. Padding oracle attack on TLS 3. Scalable scanning 4. Vulnerability clustering 5. Findings

49 Goals

• Generate test vectors • Use knowledge from previous works • Scan Alexa 1M • Identify vulnerabilities and report them

50 Test Vector Generation

H1F e1F 1Fl 1Fl 1Fo 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F 1F06 1F06 1F06 1F06 1F06 1F06 1F06

• Malformed TLS records (25) • Flipping bits in MAC 25 malformed records in • Flipping bits in padding total • Overlong padding • Using all … • TLS versions (see the SSLv3 POODLE vulnerability) • CBC cipher suites (see CVE-2016-2107)

51 Test Vector Reduction

• Problem example: • 25 malformed records • Server supports TLS 1.0 and TLS 1.1 with 10 CBC cipher suites • Results in 500 TLS handshakes (without rescanning)

• Can we identify all vulnerabilities with less vectors? • Pre-scanning 50k random hosts on port 443 • Reducing the set of malformed records from 25 to 4 • (still scanning with all TLS versions and cipher suites)

52 Alexa Top 1 Million Scan

• Based on our TLS-Attacker: • https://github.com/RUB-NDS/TLS-Attacker • Supported by redis and mongoDB • 72 hours, 627,493 hosts supporting CBC cipher suites • 18,257 vulnerable • Observed different TLS alerts, TCP resets, timeouts, …

53 Malformed Records Triggering Different Different malformed Fingerprints records

Response: Response: • Fatal BAD_RECORD_MAC • Fatal BAD_RECORD_MAC • Warning • Warning • Connection close • Timeout

How many different fingerprints do we have?

54 Malformed Records Triggering Different Fingerprints

93 Different Fingerprints

55 Malformed Records Triggering Different Fingerprints

Problem: which vendors to notify?

56 Overview – Padding Oracle Attacks

1. Vaudenay’s (padding oracle) attack 2. Padding oracle attack on TLS 3. Scalable scanning 4. Vulnerability clustering 5. Findings

57 Vulnerability Clustering

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA B

Are A and B implementations equal?

58 Vulnerability Clustering

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA B

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA C 59 Vulnerability Clustering

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA B What do we know? • B != C • A and B could be equal TLS_RSA_WITH_AES_256_CBC_SHA • A and C could be equal TLS_RSA_WITH_3DES_EDE_CBC_SHA C 60 Vulnerability Clustering: Usage of Force Atlas2 What do we know? • Two-dimensional graph • B != C • Edges between equally behaving servers • A and B could be equal • Contains as few crossing edges as possible • A and C could be equal

B A C

D E 61 Vulnerability Clustering: Example

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

62 Overview – Padding Oracle Attacks

1. Vaudenay’s (padding oracle) attack 2. Padding oracle attack on TLS 3. Scalable scanning 4. Vulnerability clustering 5. Findings

63 Results

• https://github.com/RUB-NDS/TLS-Padding-Oracles • OpenSSL. CVE-2019-1559. • Citrix. CVE-2019-6485. • F5 TMM TLS virtual server. CVE-2019-6593. • SonicWall SonicOs. CVE-2019-7477

64 OpenSSL (CVE-2019-1559)

• Identified with the help of the Amazon security team • Only in stitched cipher suites • Highly optimized, no AES-NI

Response: Response: • Fatal BAD_RECORD_MAC • Fatal BAD_RECORD_MAC • Warning • Warning • Connection close • Timeout 65 pad OpenSSL (CVE-2019-1559) mac

• Bad padding: BAD_RECORD_MAC, Connection Close

H e l l o 06 0605 06 06 06 06 06

• Bad MAC: BAD_RECORD_MAC, Connection Close H e l l o 06 06 06 06 06 06 06

• 0-length record: BAD_RECORD_MAC, Timeout

0b 0b 0b 0b 0b 0b0c 0b 0b 0b 0b 0b 0b

66 Disclaimer

• CBC padding oracle attacks are much harder to exploit … • BEAST scenario needed • Active MitM attacker • …

67 Demo: TLS-Scanner

68 Conclusions

• 20 years old attacks still work • New side-channels (timeouts, TCP resets, …) • New attacks can be found by IPv4 scanning

• Disable RSA and CBC cipher suites (not used in TLS 1.3) • Stop using RSA PKCS#1 v1.5 • Use elliptic curves (or RSA-OAEP if RSA needed) • Stop using CBC • Use authenticated modes of operation like AES-GCM