Breaking

New SSL/TLS MiTM Attacks

A number of customers has approached us with questions like “Those new MiTM attacks against SSL/TLS, what’s their impact as for the security of our SSL VPNs with client certificates”?
In the following we give our estimation, based on the information publicly available as of today.

On 11/04/09 two security researchers (Marsh Ray and Steve Dispensa) published a paper describing some previously (presumably/hopefully) unknown MiTM attacks against SSL/TLS. CVE-2009-3555 was assigned to the underlying vulnerabilities within SSL/TLS.
The attacks described might potentially allow an attacker to hijack an authenticated user’s (SSL/TLS) session. In an IETF draft published 11/09/09 and describing a potential protocol extension intended to mitigate the attacks the following is stated:
“SSL and TLS renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client.  The server treats the client’s initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data.”

Obviously this _could_ have dramatic security impact on most SSL VPN deployments. Still, within the research community the impact on SSL VPNs seems unclear at the very moment.
On monday, Cisco issued a somewhat nebulous security advisory classifying the Cisco AnyConnect VPN Client as _not_ vulnerable (but quite some other products). OpenVPN disposes, for some time already, of a particular directive (tls-auth) which is regarded as an effective way to mitigate the vulnerabilities. Other vendors (e.g. Juniper) have not yet issued any statements or advisories at all (see also here for an overview of different vendors’ patch status).
This might be a good sign (“no problems there”), it might just be they’re still researching the pieces.

After discussing the problems with other researches we expect more concrete attack scenarios to emerge in the near future and we expect some of those future attacks to work against _some_ SSL VPN products as well. In case you have some SSL VPN technology in use pls contact your vendor _immediately_ asking for an official statement on this stuff.
Sorry for not having better advise for you right now. We do not want to spread FUD. On the other hand it might be a cautious approach to “expect the worst” in this case. There’s vast consensus amongst researchers that this _is a big thing_ that most people did not expect in this protocol. A first public break-in based on the vulnerabilities has already been reported.

Continue reading