Monthly Archives: April 2017

NVD

CVE-2017-6975

Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack buffer overflow exploitation via a crafted access point. NOTE: because an operating system could potentially isolate itself from CVE-2017-6956 exploitation without patching Broadcom firmware functions, there is a separate CVE ID for the operating-system behavior.

Drupal

Auto Login URL – Less Critical – Access Bypass – DRUPAL-SA-CONTRIB-2017-034

Description

This module lets you create auto login URLs programmatically on demand and through tokens.

The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user.

This vulnerability is mitigated by the fact that an attacker needs to be able to exactly guess the second when a login URL was generated for a user. Furthermore the attacker also needs to know the victim user ID and login destination of the generated login URL. The attack is also mitigated by the fact that the module has flood control, so an attacker has only limited attempts to guess login URLs.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Auto Login URL 8.x-1.x versions prior to 8.x-1.2.
  • Auto Login URL 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Auto Login URL module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Auto Login URL project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Drupal 8.x
Avira

eSports: Avira FIFA17 Contest with 2000€ Prize Pool – Join Now!

It’s been some time since we’ve last talked about eSports, but a good thing takes time. What is eSports? Now: For those of you who don’t know what eSports is, let me explain. eSports is short for ‘electronic sports’ and is the term for competitive video gaming. It’s exactly what you probably think it is […]

The post eSports: Avira FIFA17 Contest with 2000€ Prize Pool – Join Now! appeared first on Avira Blog.

Redhat

Changes coming to TLS: Part Two

In the first part of this two-part blog we covered certain performance improving features of TLS 1.3, namely 1-RTT handshakes and 0-RTT session resumption. In this part we shall discuss some security and privacy improvements.

Remove Obsolete and insecure cryptographic primitives

Remove RSA Handshakes

When RSA is used for key establishment there is no forward secrecy, which basically means that an adversary can record the encrypted conversation between the client and the server and later if it is able to break the RSA public key (could take years or could be because the attacker was able to get his hands on the private key), all the recorded conversations can be decrypted. In some cases (like when SSLv2 is enabled), RSA key establishment is vulnerable to DROWN. You can still use RSA certificates with TLS 1.3, but all the key establishment has to be done with DH (either finite field or elliptic curve). The primary reason why RSA key exchange was removed was Bleichenbacher and similar attacks; getting PFS is a welcomed bonus.

Remove weak primitives

TLS 1.3 also removes RC4, SHA1, MD5 (vulnerable to SLOTH) which are all considered weak or broken.

No CBC mode

Security weaknesses in CBC Mac-Then-Encrypt mode has been long established and has been the cause behind various named flaws like Lucky-13 and POODLE.

No ChangeCipherSpec

This was removed because it is no longer necessary to mark end of handshake – the two first exchanged messages do that. As an aside, ChangeCipherSpec caused famous CCS injection flaw in OpenSSL.

No negotiation compression

Removes the option of negotiating compression which is vulnerable to CRIME.

Re-key mechanism

Replace session renegotiation, with a simple re-key mechanism.

Removing PKCS #1 v1.5 and some ECDHE groups

PKCS #1 v1.5 encryption in the RSA key exchange is removed since it has multiple flaws. PKCS#1 v1.5 signature algorithm, which isn’t broken, is removed mostly as a “just in case” and to base the protocol on new cryptographic primitives that were designed from ground up to follow good practice. A lot of weak and non-standard ECDHE groups were removed including the custom FFDHE groups now that we finally have a mechanism for clients to advertise key sizes to server.

New cryptographic features and primitives

Anti-downgrade feature

Implementations which support TLS 1.3 will also continue supporting TLS 1.2 for a long time to ensure backward compatibility with older clients. This, however, can lead to downgrade attacks.

A man-in-the-middle (MITM) attacker could modify the CLIENTHELLO message to trick the TLS server into believing that the client only supports TLS 1.2 and less and then use any flaws discovered in TLS 1.2 to complete the MITM attack (read or modify messages between client and the server). TLS 1.3, however, offers an anti-downgrade feature, which is an enhancement of the previous downgrade mechanism in TLS 1.2 FINISHED messages.

When a TLS 1.3 server gets a request from the client to downgrade the following happens:

  1. If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 01

  2. If negotiating TLS 1.1, TLS 1.3 servers MUST, and TLS 1.2 servers SHOULD, set the last eight bytes of their Random value to the bytes: 44 4F 57 4E 47 52 44 00

TLS 1.3 clients receiving a TLS 1.2 or below ServerHello MUST check that the last eight bytes are not equal to either of these values. TLS 1.2 clients SHOULD also check that the last eight bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. If a match is found, the client MUST abort the handshake with an “illegal_parameter” alert. This mechanism provides limited protection against downgrade attacks over and above that provided by the Finished exchange. Because the ServerKeyExchange, a message present in TLS 1.2 and below, includes a signature over both random values, it is not possible for an active attacker to modify the random values without detection as long as ephemeral ciphers are used.

New improved session resumption features

Session resumption using tickets and identifiers have been obsoleted by TLS 1.3 and has been replaced by PSK (pre-shared key) mode. A PSK is established on a previous connection after the handshake is completed, and can then be presented by the client on the next visit. Also, forward secrecy can be maintained by limiting the lifetime of PSK identities sensibly. Clients and servers may also choose an (EC)DHE cipher suite for PSK handshakes to provide forward secrecy for every connection, not just the whole session.

New ECC curves

TLS 1.3 includes two additional ECC curves: Curve 25519 and Curve 448. These new curves can easily be implemented in constant time on common hardware (as opposed to the other elliptic curves).

Privacy of certificates during handshake

TLS 1.3 has provision for what it calls “Encrypted Extensions”. The server sends the EncryptedExtensions message immediately after the ServerHello message. This is the first message that is encrypted under keys derived from the “server_handshake_traffic_secret”. The rest of the handshake after this is encrypted, including certificate transmission of certificates (both client and server). This offers protection of extension data from eavesdropping attackers.

Inclusion of ChaCha20/Poly1305

TLS 1.3 only allows AEAD cipher suites, which means AES-GCM/AES-CCM and ChaCha20-Poly1305 are the only options available. They are intended to improve performance and power consumption in devices with acceleration for AES (note: ChaCha20 is not new in TLS 1.3; it is already supported and deployed in TLS 1.2).

Implementations

OpenSSL is currently working on including TLS 1.3 support. It seems likely that OpenSSL 1.1.1 will include this.

NSS 3.29 contains support for TLS 1.3, which is enabled by default. Note that although NSS has support for draft versions of TLS 1.3, one can’t deploy the current NSS and expect it to work with implementations that will deploy real, finished TLS 1.3, as it doesn’t use the same version ID as the finished version will.

GnuTLS is working on TLS 1.3 support.

Certain fuzzers, like the the famous tlsfuzzer, is going to include support for fuzzing TLS 1.3 protocol soon.

Hackers News

Tim Berners-Lee, Inventor of the Web, Wins $1 Million Turing Award 2016

Sir Tim Berners-Lee — the inventor of the World Wide Web — has won this year’s A.M. Turing Award, which is frequently described as the “Nobel Prize of Computing,” by the Association for Computing Machinery (ACM).

Turing Award is named after Alan Mathison Turing, the British mathematician and computer scientist who was a key contributor to the Allied cryptanalysis of German Enigma cipher and

Hackers News

Millions Of Smartphones Using Broadcom Wi-Fi Chip Can Be Hacked Over-the-Air

Millions of smartphones and smart gadgets, including Apple iOS and many Android handsets from various manufacturers, equipped with Broadcom Wifi chips are vulnerable to over-the-air hijacking without any user interaction.

Just yesterday, Apple rushed out an emergency iOS 10.3.1 patch update to address a serious bug that could allow an attacker within same Wifi network to remotely execute