Tag Archives: FREAK

Watch OS 1.0.1 for the Apple Watch Released

With Watch OS 1.0.1 Apple has released the first update for its watch. While it doesn’t include any flashy new features you should definitely make sure to install the patch as soon as possible, since it includes fixes for several critical security issues.

One of them is the well known FREAK bug, the SSL/TSL vulnerability which was disclosed in March. The vulnerability can allow hackers to perform a Man in the Middle (MITM) attack on traffic routed between a device that uses the affected version of OpenSSL and many websites, by downgrading the encryption to an easy to crack 512 bits (64KB).

Other than that the update includes fixes for vulnerabilities that could lead to arbitrary code execution, disclose information, cause a denial of service, redirect user traffic to arbitrary hosts, and bypass network filters.

According to Macworld Watch OS 1.0.1 also improves your Apple Watch’s performance, adds seven new languages, and support for new emoji.

To install the new Watch OS just do the following: Open your Apple Watch app on your iPhone and go to My Watch > General > Software Update. Make sure that the watch is within range of the iPhone and connected to a charger. It should also be at least 50 percent charged.

The post Watch OS 1.0.1 for the Apple Watch Released appeared first on Avira Blog.

LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers

What it’s all about

The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.

“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.

According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that  – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.

This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.

Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.

As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.

What you can do

Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.

Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.

More information on LogJam can be found on the dedicated page.

The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.

LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers

What it’s all about

The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.

“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.

According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that  – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.

This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.

Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.

As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.

What you can do

Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.

Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.

More information on LogJam can be found on the dedicated page.

The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.

OpenSSL: Patch for secret “high severity” vulnerability

And indeed, in order to avoid being again in the news, the OpenSSL Foundation is set to release later this week several patches for OpenSSL, fixing undisclosed security vulnerabilities, including one that has been rated “high” severity.

Matt Caswell of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf will be released Thursday.

“These releases will be made available on 19th March,” Caswell wrote. “They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity.”

OpenSSL has been hit hard and the trust in it and in open source in general has been severely shaken in the last 12 months.

Last year in April, Heartbleed (CVE-2014-0160) was discovered in older versions of OpenSSL, but still highly used, which allowed hackers to read the sensitive contents of users’ encrypted data, such as financial transactions, instant messages and even steal SSL keys from Internet servers or client software that were running the affected versions of OpenSSL.

Two month later, in June the same year, a Man-in-the-Middle (MITM) vulnerability (CVE-2014-0224) was discovered and fixed. However, the vulnerability wasn’t quite as severe as the Heartbleed flaw, but serious enough to decrypt, read or manipulate the encrypted data.

In October last year, POODLE (CVE-2014-3566) (Padding Oracle On Downgraded Legacy Encryption) was discovered in the obsolete Secure Sockets Layer (SSL) v3.0 that could allow an attacker to decrypt contents of encrypted connections to websites. When exploited, it allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to “fallback” to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords.

Just weeks ago, the latest vulnerability, FREAK (CVE-2015-0204)  (Factoring Attack on RSA-EXPORT Keys) was discovered in the SSL protocol that allowed an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken. Needless to say that such a weak encryption could potentially allow them to eavesdrop on encrypted networks by conducting man-in-the-middle attacks. This time, pretty much every big software vendor was affected: Apple, with its MacOS, iPhone and iPad,  Google with Android and Chrome and last but not least, Microsoft with all versions of Windows.

Due to its widespread use, OpenSSL is considered an important software project and is ranked first under the Linux Foundation’s Core Infrastructure Initiative. Because of its complexity, high usage and lack of in-depth security reviews, companies like Google, Facebook and Cisco are heavily sponsoring this project in order to avoid being again affected by long forgotten bugs.

Well, for OpenSSL seems that this is starting to pay off.

The post OpenSSL: Patch for secret “high severity” vulnerability appeared first on Avira Blog.

Microsoft patches FREAK for Windows, IE, Office

The FREAK flaw itself resides in the SSL protocol, so Microsoft has fixed with this patch (MS15-031) its own implementation of the protocol, which is used in all its proprietary software (workstation, server, IE Office).

The release contains fixes for 14 new bulletins in total, five of which are rated as Critical, nine as Important.

The bulletins address vulnerabilities residing in both the consumer and server editions of Microsoft Windows, Internet Explorer, Office, SharePoint Server, and Exchange Server. Most of them may disclose information, bypass security features or would allow an attacker to elevate privileges.

What should you do?

Once your Windows computer signals the availability of the updates don’t wait too long to apply it and reboot your system.

The post Microsoft patches FREAK for Windows, IE, Office appeared first on Avira Blog.

Apple fixes FREAK flaw in OS X and iOS

What is FREAK?

By exploiting the Factoring RSA Export Keys vulnerability in SSL (FREAK), an attacker could intercept the network traffic between entities running any implementation of the vulnerable protocol and decrypt the secure communication. In other words, the attacker is able to act as a man-in-the-middle and decrypt the secure traffic between the client and the server.

The well known OpenSSL library, Apple’s Secure Transport, and Microsoft’s Secure Channel (which is impacting all supported versions of Windows) have all been found vulnerable to this type of attack.

IMG_0059The flaw resides in the fact that the SSL/TLS encryption was forced to use a weaker cipher suite (so called “export grade”) with a 512-bit key that could be broken with today’s technology in a few hours.

Apple is describing the affected area as a “Secure Transport vulnerability which allows an attacker with a privileged network position to intercept SSL/TLS connections”.

The security update 2015-002 which fixes FREAK is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.2.

The iOS 8.2 is available for iPhone 4s and later, iPod touch (5th generation) and later, and iPad 2 and later.

What should you do?

Apple’s security update for MacOS also includes mitigation for arbitrary code execution by leveraging flaws in iCloud Keychain recovery, IOAcceleratorFamily and IOSurface and the Kernel (OS X Yosemite).

For the iOS, Apple patched bugs in CoreTelephony, which caused the device to restart and buffer overflows in iCloud Keychain which allow an attacker with a privileged network position to execute arbitrary code.

Even if CVE-2015-1067 also known as FREAK is more theoretical than most vulnerabilities affecting the SSL protocol and its implementations (Heartbleed, Poodle), it is strongly advisable to apply the update.

Usually, the update comes over the wire, so follow the known procedures for each device to apply it:

  • iOS: go to Settings ->General -> Software Update
  • Go to Updates (or Software Updates for older versions) and click Update All.

The post Apple fixes FREAK flaw in OS X and iOS appeared first on Avira Blog.

FREAK: All Windows versions are affected too

We wrote about the new SSL vulnerability called FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan.

Android, iOS and a lot of embedded devices that make use of the affected SSL clients (including Open) are in danger of having their connections to vulnerable websites intercepted.

The two most used operating systems for smartphones, tablets, laptops and embedded devices  are in good company. Yesterday, Microsoft made known that all its supported Windows versions are also affected due to the presence of the vulnerability in the Windows Secure Channel (SChannel) – the Microsoft own implementation of SSL/TLS:

  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows 8 and 8.1
  • Windows Server 2012
  • Windows RT

Microsoft published an TechCenter an advisory where the problem is analyzed and solutions are offered. Also a patch is promised to fix all supported operating systems.

What does it mean for the user?

It means that if you are in Windows and make use of the vulnerable SSL libraries delivered by default, your connection to the affected servers can be intercepted. If you use Internet Explorer to visit www.freakattack.com you will be surprised to see this:

FREAK vulnerability
What should the users do?

We do not recommend messing up with the standard cryptography settings of Windows (or any operating systems) unless you know what you are doing (and there is a just hand full of people that actually do). You should try a browser that is not affected (like Chrome, which was updated in the meanwhile) and apply the patches for operating system and browsers that will come in the next few days.

 

The post FREAK: All Windows versions are affected too appeared first on Avira Blog.

Security experts are FREAKing out: new OpenSSL vulnerability

As any good and mind blowing (for most people) vulnerability, it has a nice name – FREAK, a CVE number – CVE-2015-0204  and a dedicated website https://freakattack.com/ .

FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan.

This time, the vulnerability can allow hackers to perform a Man In The Middle(MITM)  attack on traffic routed between a device that uses the affected version of OpenSSL and many websites, by downgrading the encryption to an easy to crack 512 bits (64KB).

A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204.

To be affected, devices must use the vulnerable version of OpenSSL. The problem is that OpenSSL is embedded sometimes in the firmware of the device like those running Apple’s iOS, Google’s Android. This makes the patching anything else than trivial. IfApple and Google will hurry up to patch their devices, not the same is going to happen with embedded devices that have the affected OpenSSL library in a firmware burned in a chip.

How is the attack happening?

If an attacker can monitor the traffic  flowing between vulnerable devices (that is, running the vulnerable OpenSSL) and websites (that use the same vulnerable OpenSSL) they could inject code which forces both sides to use 512-bit encryption, which they can then crack in a matter of hours using the power of cloud computing.

It would then be technically pretty straightforward to launch a MITM by pretending to be the official website.

OpenSSL released a patch to the problem in January 2015, while Apple plans to do so next week and Google has released one to its Android partners.

As you can see, it is not trival to perform the MITM attack: special skills, a special environment and special tools are required to make use of this vulnerability. So, this makes FREAK a more theoretical vulnerability.But, this doesn’t mean that it is less dangerous.

However, as many times in the past, good intentions are badly implemented and the page freakattack.com is generously helping attackers to find which servers are affected. On that page the researchers from University of Michigan have published the top 10K domains listed by Alexa.com website.

Who is affected?

Websites that support RSA export cipher suites (e.g., TLS_RSA_EXPORT_WITH_DES40_CBC_SHA) are at risk to having HTTPS connections intercepted.

You can check whether a website supports RSA_EXPORT suites using the SSL FREAK Check available at this page.

The post Security experts are FREAKing out: new OpenSSL vulnerability appeared first on Avira Blog.