July 30 marked the close of the annual Black Hat USA security conference in Las Vegas, Nevada. Though Black Hat events are held at many venues throughout the year, the Vegas Black Hat Briefings are generally seen as the premier opportunities for disclosing security vulnerabilities or unveiling new research. This year’s conference hosted a number of presentations that made quite a few waves in the security industry and in the press. Cisco Security Intelligence Operations has already alerted you to many of these.
Several of the presentations at the Briefings were based on far-reaching, systemic flaws. As vendors have an opportunity to respond to these presentations and release updates to address them, administrators should expect to see increased activity around these issues. If their environments are particularly impacted, administrators may need to look at intermediate mitigations until patches become available or can be fully deployed.
On Tuesday, July 28, Microsoft released patches for the Active Template Library (ATL) vulnerabilities that were discussed the next day by Dowd, Smith, and Dewey. The Cisco Security Blog recently discussed this topic, how ATL might be exploited by attackers, and what you can do. The ATL flaws, like all vulnerabilities in shared libraries, have the potential of impacting a great deal of code that has been widely distributed. It will probably take vendors a great deal of time to find all of the places where ATL code might have been used, and thus patches could be slow to emerge.
Later in the week, Dan Kaminsky and Moxie Marlinspike gave talks about X.509 and SSL security. Both researchers independently explored weaknesses in X.509 Certificate issuing, finding opportunities to produce fraudulent certificates, perform man-in-the-middle attacks, and generally abuse the trust that users and applications place in “validated” SSL connections.
Kaminsky’s attack against MD2, in particular, shows that there could be a cryptographically feasible attack to defeat MD2-signed root certificates within six months’ time. As a workaround, SSL libraries and client applications need to be patched in the interim. Without mitigation, it may be possible to generate a fraudulent SSL certificate for any domain, or even to bypass smartcard authentication systems that protect workstation and server logins.
Marlinspike’s research into SSL also led him to a similar conclusion as Kaminsky: that null characters inserted into certificates could fool various SSL implementations. These null characters allow for corrupting the verification of the trust chain, confusing automated approval processes at Certificate Authorities, and more. To top things off, Moxie also disclosed a buffer overflow and he updated his SSLSNIFF tool to be OCSP-aware.
OCSP, which is the protocol responsible for checking for revoked certificates, allows the OCSP server to send a “tryLater” response when a certificate is checked for validity. From the privileged man-in-the-middle position, SSLSNIFF can replace any incoming OCSP response with “tryLater”, resulting in a client skipping OCSP checks, and entirely defeating this security measure.
But the pain for SSL did not end there. Zusman and Sotirov looked at breaking Extended Validation SSL (EV-SSL, that friendly green security indicator some sites sport in recent browsers). One of their key points was the breakdown in the validation process used by Certificate Authorities to ensure that certificates were being sent to the right people. EV-SSL was designed to solve this by performing Extended Validation, as the name suggests. Zusman and Sotirov, however, sidestep this issue by attacking how browsers use EV certificates, and not necessarily how attackers might try to obtain fraudulent ones.
With Sotirov & Zusman’s methods, attackers can opt for a number of scenarios under which Extended Validation appears in the browser bar, but malicious pages are loaded from an attacker’s control:
- Man-in-the-middle attacks with mixed content: requests to non-EV domains, like ssl.googleanalytics.com, are supported. By attacking these non-EV sites with SSL certificates generated through an MD5 collision attack, attackers can cause malicious pages to load while EV still displays in the browser.
- Man-in-the-middle with same origin: uses popups and page refreshes to serve malicious content that appears to be EV-certified.
- Man-in-the-middle with SSL rebinding: switches from an EV connection to a non-EV conection, or vice versa, to retain the appearance of EV certification for malicious content.
- Man-in-the-middle with SSL cache poisoning: by modifying the Last-Modified HTTP header, an attacker can post-date non-EV content and the EV certificate won’t be revalidated if an If-Modified-Since request is sent.
Between these researchers’ efforts, SSL and X.509 took quite a beating at Black Hat this year. And while SSL may have been a popular target this year, it was not alone. Weaknesses were disclosed regarding SMS messaging, virtualization, smart grid, web content, and more. Some briefings, like the ATL and SSL items discussed above, represented major challenges for vendors and users. Others were more incremental or theoretical, yet still represent an advancement of the security discipline. Cisco will continue to monitor the outcomes of the research and activities related to Black Hat, updating our intelligence content as necessary.