[erlang-questions] SSL/TLS MITM CCS Injection case on Erlang ssl module?

Ingela Andin ingela.andin@REDACTED
Sat Jun 7 12:19:49 CEST 2014


Hi!

We are currently focusing on gracefulness an running  Codenomicon Defensics
<http://www.codenomicon.com/>  tests.If we find any problems they will be
fixed promptly.
In the upcoming release we have for instance added a format functions for
state data so that secrets should not be visible in crash-reports. Even
if this is not as bad as heart-bleed.

See also comments below.

2014-06-06 11:14 GMT+02:00 Andreas Schultz <aschultz@REDACTED>:

> Hi,
>
> ----- Original Message -----
> > I'd be glad if Erlang core team could give an idea about how the
> > vulnerability of CVE-2014-0224 would or would not affect Erlang ssl
> > module:
> >
> > http://www.openssl.org/news/secadv_20140605.txt
> >
> http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html
>
> My take on this:
>
> Short version
> =============
>
> I believe that Erlang SSL does not handle out of sequence CCS
> (Change-Cipher-Spec)
> messages correctly, whether that can be exploited or not is unclear.
>


> Long version
> ============
>
> From reading the source, I would say that the SSL application will accept
> CCS messages that are out of sequence.
>
> tls_connection:next_state is processing the packets. Normal handshake
> records
> are processed through the tls_connection FSM, but a CCS message is
> processed
> immediately, outside of the FSM in any state.
>

Yes this is done as data received after the CSS shall be decoded using the
new connection state, however
we are state aware, and I will add a state check and a flag to check that
the next messages is finished (or protocol_next_negotion and finished),
we should not take any unnecessary risks with security.


> One of the problems OpenSSL has with this, are that invalid pointers might
> be
> exploited. Luckily this is not going to be an issue for Erlang, ssl might
> crash,
> but it will not reveal sensitive data.
>
>
That is one of the upsides having the code in Erlang instead of C/C++ :)



> The other issue as described by OpenSSL:
>
> > An attacker using a carefully crafted handshake can force the use of weak
> > keying material in OpenSSL SSL/TLS clients and servers. This can be
> exploited
> > by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
> > modify traffic from the attacked client and server.
>
> Now this might be a problem for Erlang. A CCS will activate the pending
> connection
> state. ssl_record initializes the pending states with values that are
> partly valid.
> The bulk_cipher_algo and the secrets are not initialized, so I'm not sure
> if it
> would be possible to craft the handshake sequence in a way to have valid,
> but weak
> values in there.
>
>
Does this not require that you can tamper both with the client and the
server?

Regards Ingela Erlang/OTP Team - Ericsson AB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20140607/de437ba0/attachment.htm>


More information about the erlang-questions mailing list