===================================================================== CERT-Renater Note d'Information No. 2013/VULN338 _____________________________________________________________________ DATE : 08/08/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems implementing compressed HTTPS. ====================================================================== http://www.kb.cert.org/vuls/id/987798 ______________________________________________________________________ Vulnerability Note VU#987798 BREACH vulnerability in compressed HTTPS Original Release date: 02 août 2013 | Last revised: 07 août 2013 Overview By observing the length of compressed HTTPS responses, an attacker may be able to derive plaintext secrets from the ciphertext of an HTTPS stream. Description Angelo Prado of Salesforce.com reports: Extending the CRIME vulnerability presented at Ekoparty 2012, an attacker can target HTTPS responses to recover data from the response body. While the CRIME attack is currently believed to be mitigated by disabling TLS/SSL/level compression, compressed HTTP responses represent a significant unmitigated vector which is currently exploitable. By injecting plaintext into an HTTPS request, an attacker can learn information about the corresponding HTTPS response by measuring its size. This relies on the attacker being able to observe the size of the cipher text received by the browser while triggering a number of strategically crafted requests to a target site. To recover a particular secret in an HTTPS response body, the attacker guesses character by character, sending a pair of requests for each guess. The correct guess will result in a smaller HTTPS response. For each guess the attacker coerces the victim's browser to issue two requests. The first request includes a payload of the form: "target_secret_name=++" ...while the second request includes a payload of the form: "target_secret_name=++". If the size of the first response is smaller than the second response, this indicates that the guess has a good chance of being correct. This method of sending two similar requests and comparing them is due to Duong and Rizzo. If multiple candidates are found, the following is a useful recovery mechanism: move forward in parallel with both candidates until it becomes clear which guess is correct. With a token of length 32 and a character space of size 16 (e.g. hex), the attacker needs an average of approximately 1,000 request if no recovery mechanisms are needed. In practice, we have been able to recover CSRF tokens with fewer than 4,000 requests. A browser like Google Chrome or Internet Explorer is able to issue this number of requests in under 30 seconds, including callbacks to the attacker command & control center. [In order to conduct the attack, the following conditions must be true]: 1. HTTPS-enabled endpoint (ideally with stream ciphers like RC4, although the attack can be made to work with adaptive padding for block ciphers). 2. The attacker must be able to measure the size of HTTPS responses. 3. Use of HTTP-level compression (e.g. gzip). 4. A request parameter that is reflected in the response body. 5. A static secret in the body (e.g. CSRF token, sessionId, VIEWSTATE, PII, etc.) that can be bootstrapped (either first/last two characters are predictable and/or the secret is padded with something like KnownSecretVariableName="". 6. An otherwise static or relatively static response. Dynamic pages do not defeat the attack, but make it much more expensive. Impact A sophisticated attacker may be able to derive plaintext secrets from the ciphertext in an HTTPS stream. Solution We are currently unaware of a practical solution to this problem. However, the reporters offer several tactics for mitigating this vulnerability. Some of these mitigations may protect entire applications, while others may only protect individual web pages. 1. Disable HTTP compression. 2. Separate the secrets from the user input. 3. Randomize the secrets in each client request. 4. Mask secrets (effectively randomizing by XORing with a random secret per request). 5. Protect web pages from CSRF attacks. 6. Obfuscate the length of web responses by adding random amounts of arbitrary bytes. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Apache-SSL Unknown 19 Jun 2013 19 Jun 2013 Apache HTTP Server Project Unknown 19 Jun 2013 30 Jul 2013 Apache Tomcat Unknown 19 Jun 2013 19 Jun 2013 Apple Inc. Unknown 19 Jun 2013 19 Jun 2013 Google Unknown 19 Jun 2013 19 Jun 2013 Microsoft Corporation Unknown 19 Jun 2013 19 Jun 2013 Mozilla Unknown 19 Jun 2013 19 Jun 2013 Opera Unknown 19 Jun 2013 19 Jun 2013 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 2,6 AV:N/AC:H/Au:N/C:P/I:N/A:N Temporal 2,3 E:F/RL:W/RC:C Environmental 3,2 CDP:ND/TD:H/CR:H/IR:H/AR:ND References http://cwe.mitre.org/data/definitions/310.html http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf http://breachattack.com/resources/BREACH%20-%20BH%202013%20-%20PRESENTATION.pdf http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407 Credit Thanks goes to the following individuals for reporting this vulnerability: Angelo Prado, Salesforce.com Neal Harris, Square Yoel Gluck, Salesforce.com This document was written by Todd Lewellen. Other Information CVE IDs: CVE-2013-3587 Date Public: 20 sept. 2012 Date First Published: 02 août 2013 Date Last Updated: 07 août 2013 Document Revision: 34 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================