[erlang-questions] SSL/TLS MITM CCS Injection case on Erlang ssl module?

Ingela Andin ingela.andin@REDACTED
Sat Jun 7 12:19:49 CEST 2014


We are currently focusing on gracefulness an running  Codenomicon Defensics
<http://www.codenomicon.com/>  tests.If we find any problems they will be
fixed promptly.
In the upcoming release we have for instance added a format functions for
state data so that secrets should not be visible in crash-reports. Even
if this is not as bad as heart-bleed.

See also comments below.

2014-06-06 11:14 GMT+02:00 Andreas Schultz <aschultz@REDACTED>:

> Hi,
> ----- Original Message -----
> > I'd be glad if Erlang core team could give an idea about how the
> > vulnerability of CVE-2014-0224 would or would not affect Erlang ssl
> > module:
> >
> > http://www.openssl.org/news/secadv_20140605.txt
> >
> http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
> My take on this:
> Short version
> =============
> I believe that Erlang SSL does not handle out of sequence CCS
> (Change-Cipher-Spec)
> messages correctly, whether that can be exploited or not is unclear.

> Long version
> ============
> From reading the source, I would say that the SSL application will accept
> CCS messages that are out of sequence.
> tls_connection:next_state is processing the packets. Normal handshake
> records
> are processed through the tls_connection FSM, but a CCS message is
> processed
> immediately, outside of the FSM in any state.

Yes this is done as data received after the CSS shall be decoded using the
new connection state, however
we are state aware, and I will add a state check and a flag to check that
the next messages is finished (or protocol_next_negotion and finished),
we should not take any unnecessary risks with security.

> One of the problems OpenSSL has with this, are that invalid pointers might
> be
> exploited. Luckily this is not going to be an issue for Erlang, ssl might
> crash,
> but it will not reveal sensitive data.
That is one of the upsides having the code in Erlang instead of C/C++ :)

> The other issue as described by OpenSSL:
> > An attacker using a carefully crafted handshake can force the use of weak
> > keying material in OpenSSL SSL/TLS clients and servers. This can be
> exploited
> > by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
> > modify traffic from the attacked client and server.
> Now this might be a problem for Erlang. A CCS will activate the pending
> connection
> state. ssl_record initializes the pending states with values that are
> partly valid.
> The bulk_cipher_algo and the secrets are not initialized, so I'm not sure
> if it
> would be possible to craft the handshake sequence in a way to have valid,
> but weak
> values in there.
Does this not require that you can tamper both with the client and the

Regards Ingela Erlang/OTP Team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140607/de437ba0/attachment.htm>

More information about the erlang-questions mailing list