A team of academics has revealed a new cryptographic attack this week that can break encrypted TLS traffic, allowing attackers to intercept and steal data previously considered safe & secure.
This new downgrade attack –which doesn’t have a fancy name like most cryptography attacks tend to have– works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.
The new cryptographic attack isn’t new, per-se. It’s yet another variation of the original Bleichenbacher oracle attack.
The original attack was named after Swiss cryptographer Daniel Bleichenbacher, who in 1998 demonstrated a first practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function.
Over the years, cryptographers have come up with variations on the original attack, such as in 2003, 2012, 2012, 2014, 2014, 2014, 2015, 2016 (DROWN), 2017 (ROBOT), and 2018.
The reason for all these attack variations is because the authors of the TLS encryption protocol decided to add countermeasures to make attempts to guess the RSA decryption key harder, instead of replacing the insecure RSA algorithm.
These countermeasures have been defined in Section 188.8.131.52 of the TLS standard (RFC 5246), which many hardware and software vendors across the years have misinterpreted or failed to follow to the letter of the law.
These failure in regards to implementing proper mitigations has resulted in many TLS-capable servers, routers, firewalls, VPNs, and coding libraries still being vulnerable to Bleichenbacher attack variations, which found and exploited problems in the incorrect mitigation procedures.
The latest Bleichenbacher attack variations was described in a technical paper published on Wednesday, this week, and entitled “The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations.”
Seven researchers from all over the world found –yet again– another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google’s new QUIC encryption protocol as well.
“The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations,” researchers said.
Even the newer version of the TLS 1.3 protocol, where RSA usage has been kept to a minimum, can be downgraded in some scenarios to TLS 1.2, where the new Bleichenbacher attack variation works.
“We tested nine different TLS implementations against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS,” researchers said.
Updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper.
For more details, the following CVE identifiers have been assigned to the security bugs enabling this new Bleichenbacher attack: CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870.
The two libraries that were not vulnerable were BearSSL and Google’s BoringSSL.