Volker Grassmuck on Mon, 15 May 2000 16:13:13 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[rohrpost] (Fwd) SSL Vulnerability of Netscape (was: CERT Advisory CA-2000-


are you using Netscape for eBanking and eShopping? Read this!


>Date: Fri, 12 May 2000 16:10:26 -0400 (EDT)
>From: CERT Advisory <[email protected]>
>To: [email protected]
>Subject: CERT Advisory CA-2000-05
>Reply-To: [email protected]
>Organization: CERT(R) Coordination Center - +1 412-268-7090
>Status: U
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2000-05
>Netscape Navigator Improperly Validates SSL Sessions
>
>    Original release date: May 12, 2000
>    Source: ACROS, CERT/CC
>   
>    A complete revision history is at the end of this file.
>   
>Systems Affected
>
>      * Systems running Netscape Navigator 4.72, 4.61, and 4.07. Other
>        versions less than 4.72 are likely to be affected as well.
>       
>Overview
>
>    The ACROS Security Team of Slovenia has discovered a flaw in the way
>    Netscape Navigator validates SSL sessions.
>   
>I. Description
>
>    The text of the advisory from ACROS is included below. It includes
>    information CERT/CC would not ordinarily publish, including specific
>    site names and exploit information. However, because it is already
>    public, we are including it here as part of the complete text provided
>    by ACROS.
>
>=====[BEGIN-ACROS-REPORT]=====
>
>    =========================================================================
>    ACROS Security Problem Report #2000-04-06-1-PUB
>    -------------------------------------------------------------------------
>    Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator
>    =========================================================================
>    FULL REPORT                                                        PUBLIC
>                                                                       ======
>
>
>    Affected System(s): Netscape Navigator & Communicator
>               Problem: Bypassing Warnings For Invalid SSL Certificates
>              Severity: High
>              Solution: Installing the Personal Security Manager or
>                        Installing the newest Netscape Communicator (v4.73)
>            Discovered: April 3, 2000
>       Vendor notified: April 4, 2000
>           Last update: May 10, 2000
>             Published: May 10, 2000
>
>
>SUMMARY
>=======
>
>Our team has discovered a flaw in Netscape Navigator that allows bypassing
>of warning about an invalid SSL certificate. SSL protection is used in most
>major Internet-based financial services (e-banking, e-commerce). The flaw
>we have found effectively disables one of the two basic SSL functionalities:
>to assure users that they are really communicating with the intended web
>server - and not with a fake one.
>Using this flaw, the attacker can make users send secret information (like
>credit card data and passwords) to his web server rather than the real one -
>EVEN IF THE COMMUNICATION IS PROTECTED BY SSL PROTOCOL.
>
>
>INTRODUCTION (skip this section if you already understand how SSL works)
>============
>
>When a web browser tries to connect to a SSL-protected server, a so-called
>SSL session is  established. At the beginning of this session the server
>presents his SSL certificate containing his public key. At this point,
>browser checks the certificate for the following conditions (*):
>
>1) Certificate must be issued by a certificate authority trusted by browser
>    (some are default: Verisign, Thawte etc.)
>2) Certificate must not be expired (its expiry date:time must be later than
>    the current system date:time on the computer browser is running on)
>3) Certificate must be for the server that browser is connecting to (if
>    browser is connecting to www.e-bank.com, the certificate must be for
>    www.e-bank.com)
>
>All three conditions must be met for browser to accept the certificate. For
>every condition not met, browser should display a warning to the user and
>then user can decide whether connection should be established or not.
>These three conditions combined provide user with assurance that his browser
>is really connecting to the correct server and not to some fake server
>placed on the Internet by malicious individual(s) trying to trick users to
>give them credit card information, passwords and other secret information.
>
>For example, let's take a look at a sample web e-banking system that doesn't
>use SSL certificates and requires one-time password tokens for user
>authentication. User connects to http://www.e-bank.com. Browser asks DNS
>server for IP address of www.e-bank.com and gets 100.100.100.100. Browser
>then connects to 100.100.100.100 and user is presented with login form
>asking for his username and one-time password. He enters this data and
>starts using e-banking services.
>A simple attack (called web-spoofing) on this system is to attack the DNS
>server and "poison" its entry for www.e-bank.com with attacker's IP address
>99.99.99.99. Attacker sets up a web server at 99.99.99.99 that web-wise
>looks exactly like the original www.e-bank.com server. User trying to
>connect to www.e-bank.com will now instead connect to the attacker's server
>and provide it with his one-time password. Attacker's server will use this
>password to connect to the real server at 100.100.100.100 and transfer all
>of the user's money to his secret Swiss bank account ;-).
>
>This attack is successfully disabled by using SSL protocol. In that
>case, when browser falsely connects to www.e-bank.com at 99.99.99.99 rather
>than to 100.100.100.100, attacker's server must provide a valid certificate
>for www.e-bank.com, which it can't unless the attacker has stolen the secret
>key and the certificate from the real server. Let's look at three
>possibilities:
>
>1) Attacker could issue a certificate for www.e-bank.com himself (on his own
>    CA). That wouldn't work since his CA is not trusted by user's browser.
>2) Attacker could use a stolen expired key and certificate (those are often
>    not protected as strongly as valid ones since one could think they can't
>    be used any more). That wouldn't work since browser will notice that
>    certificate is expired.
>3) Attacker could use a valid key and certificate for some other site (e.g.
>    www.something.org). That wouldn't work since browser will accept only
>    valid certificates for www.e-bank.com.
>
>It would seem that this problem of web-spoofing is successfully solved with
>SSL certificates.
>
>
>PROBLEM
>=======
>
>There is a flaw in implementation of SSL certificate checks in Netscape
>Navigator.
>
>
>The Flaw
>- --------
>
>Netscape Navigator correctly checks the certificate conditions (*) at the
>beginning of a SSL session it establishes with a certain web server.
>The flaw is, while this SSL session is still alive, all HTTPS
>connections to *THAT SERVER'S IP ADDRESS* are assumed to be a part of this
>session (and therefore certificate conditions are not checked again).
>Instead of comparing hostnames to those of currently open sessions, Navigator
>compares IP addresses. Since more than one hostname can have the same IP
>address, there is a great potential for security breach.
>This behavior is not in compliance with SSL specification.
>
>
>DEMONSTRATION
>=============
>
>The following will try to demonstrate the flaw. It is assumed that for
>redirecting user's web traffic, the attacker will generally use "DNS
>poisoning" or reconfiguring routers, while in our demonstration we will
>use the HOSTS file on client computer to get the same effect and make it
>easier to reproduce the flaw.
>
>In this demonstration, we will make Navigator open Thawte's homepage over
>secure (HTTPS) connection while requesting Verisign's home address at
>https://www.verisign.com.
>Thawte's and Verisign's homepages are used as examples - this would work
>just the same on any other secured web sites.
>
>1) First, add the following line to the local HOSTS file on the computer
>running the Navigator and save it:
>
>207.240.177.177	www.verisign.com
>
>This will make the computer (and, consequently, the browser) think that IP
>address of www.verisign.com (which is actually 205.139.94.60) is in fact
>207.240.177.177 (which is actually IP address of www.thawte.com).
>
>At this point it is important to note that SSL, if correctly implemented,
>provides protection against such "domain name spoofing", because while the
>browser will connect to the wrong server, that server will not be able to
>provide a valid SSL certificate and the SSL session will not be
>established (not without user being warned about the certificate).
>
>2) Close all instances of Navigator to clean any cached IP addresses.
>
>3) Open Navigator and go to https://www.thawte.com. It works as it should -
>Thawte's server provides a valid SSL certificate for its hostname
>(www.thawte.com) and so the SSL session is established.
>
>4) With the same instance of Navigator, go to https://www.verisign.com. Now
>watch the Thawte's homepage appear again WITHOUT ANY WARNINGS!
>
>What happened here? In step 3), Navigator looked up the IP address for
>www.thawte.com (from the DNS server) and found 207.240.177.177. It tried to
>establish a SSL session with that IP address and correctly checked all three
>certificate conditions (*) - indeed, if any of them weren't true, a warning
>would pop up.
>In step 4), Navigator looked up the IP address for www.verisign.com (this
>time from HOSTS file, but it could easily have been from the same DNS server)
>and found again 207.240.177.177. Now, since there was already one SSL session
>open with that IP address, Navigator *INCORRECTLY* decided to use that
>session instead of establishing another one.
>
>
>EXPLOIT
>=======
>
>This exploit will show how the flaw could be used to gather user's secret
>information.
>
>Assume there is a web bookstore at www.thebookstore.com. Users go to
>http://www.thebookstore.com (via normal HTTP connection), browse the
>books and add them to their virtual shopping baskets. At the check-out,
>they are directed to a secure order form (e.g.
>https://www.thebookstore.com/order_form.html) where they enter their
>personal and credit card information which is then submitted (again via
>secure HTTPS connection) to the server. This is a typical web e-commerce
>concept.
>Assume that IP address of www.thebookstore.com is 100.100.100.100.
>
>The attacker sets up his own web server with IP address 99.99.99.99 and
>installs on it a valid SSL certificate for host www.attacker.com (he could
>have purchased this certificate from e.g. Verisign if he owns the domain
>attacker.com; he could have stolen the certificate or he could have broken
>into a web server with a certificate already installed).
>The attacker makes this web server function as a gateway to
>www.thebookstore.com - meaning that all requests are forwarded to
>www.thebookstore.com, so virtually this server "looks and feels" exactly like
>the real www.thebookstore.com. There is just one difference: the page before
>the order form (e.g. http://www.thebookstore.com/basket.html)
>contains a small (1x1) image originating from https://www.attacker.com
>(secure HTTPS connection).
>
>Then, the attacker "poisons" a heavily used DNS server so that it will return
>99.99.99.99 for requests about www.thebookstore.com (normally it returns
>100.100.100.100).
>
>What happens then?
>
>All users of that DNS server who will try to visit (via normal HTTP)
>http://www.thebookstore.com will connect to 99.99.99.99 instead of
>100.100.100.100 but will not notice anything because everything will look
>just the way it should. They will browse the books and add them to their
>shopping baskets and at check-out, they will be presented with the order form
>https://www.thebookstore.com/order_form.html.
>But the previous HTML page containing the hyperlink to the order form will
>also contain a small (1x1) image with source https://www.attacker.com/a.gif.
>Navigator will successfully download this image and for that it will
>establish a SSL session with www.attacker.com. This session then stays open.
>When the order form is accessed, Navigator tries to establish another SSL
>session, this time to www.thebookstore.com. Since DNS server claims this
>server has the same IP address as www.attacker.com (99.99.99.99), Navigator
>will use the existing SSL session with 99.99.99.99 and will not check the
>certificate.
>The result: Navigator is displaying a SECURE ORDER FORM that it believes to
>be originating from the genuine server www.thebookstore.com while in fact
>it is originating from the fake one. No warning about an invalid certificate
>is issued to the user so he also believes to be safe.
>When user submits his secret information, it goes to (through) the attacker's
>server where it is collected for massive abuse.
>For users to notice the foul play they would have to look at the certificate
>properties while on a "secure" page https://www.thebookstore.com/...
>The properties would show that the certificate used was issued for host
>www.attacker.com.
>Also, monitoring network traffic would show that the server is not at
>100.100.100.100 where it should be but rather at 99.99.99.99.
>
>It is a very rare practice to check any of these when nothing suspect is
>happening.
>
>
>Notes
>- -----
>
>It should be noted that in the previous exploit, if the users tried to
>access https://www.thebookstore.com over secure (HTTPS) connection from
>the very start, Navigator would issue a warning. It is imperative for the
>exploit to work that some time *before* the first secure connection to
>https://www.thebookstore.com a successful secure connection is made to
>https://www.attacker.com. That's why a valid certificate must be installed
>on www.attacker.com.
>
>Also, it should be noted that Navigator's SSL sessions don't last forever.
>We haven't been able to predict the duration of these sessions
>(it seems to be depending on many things like inactivity time, total time
>etc.) and we also haven't investigated the possible effects of SSL
>session resuming.
>
>
>SOLUTION
>========
>
>Netscape has (even prior to our notification - see the Acknowledgments
>section) provided a Navigator Add-on called Personal Security Manager (PSM),
>freely downloadable at:
>
>http://www.iplanet.com/downloads/download/detail_128_316.html
>
>Installation of PSM, as far as we have tested it, corrects the identified
>flaw.
>
>Netscape Communicator (v4.73) currently includes the fix for this
>vulnerability. It is available for download at:
>
>http://home.netscape.com/download/
>
>
>WORKAROUND
>==========
>
>Navigator/Communicator users who can't or don't want to install PSM can use
>a "manual" method to make sure they are not under attack:
>
>When visiting an SSL-protected site, double click on the lock icon (bottom
>left corner) or the key icon (in older browsers) and see whether the
>certificate used for the connection is really issued for the correct
>hostname. E.g. If you visit https://www.verisign.com, make sure the
>certificate used is issued for www.verisign.com and not for some other
>hostname.
>
>
>ADVISORY
>========
>
>It is important to emphasize that the flaw presented completely compromises
>SSL's ability to provide strong server authentication and therefore poses
>a serious threat to Navigator users relying on its SSL protection.
>
>
>Users of web services
>- ---------------------
>
>Netscape Navigator/Communicator users who are also users of any critical web
>services employing Secure Sockets Layer (SSL) protection to provide secrecy
>and integrity of browser-server communication are strongly advised to
>install Personal Security Manager or upgrade to Communicator 4.73 and thus
>disable this vulnerability.
>
>Main examples of such critical web services are:
>
>- - web banking systems (especially the ones using passwords for
>   authentication - even one-time passwords),
>- - web stores (especially the ones accepting credit card data) and
>- - other web-based e-commerce systems.
>
>
>Providers of web services
>- -------------------------
>
>Providers of critical web services employing Secure Sockets Layer (SSL)
>protection to provide secrecy and integrity of browser-server communication
>should advise their users to install Personal Security Manager or upgrade to
>Communicator 4.73 and thus disable this vulnerability.
>
>Since this vulnerability allows for the type of attack that can completely
>bypass the real/original web server, there are no technical countermeasures
>which providers of web services could deploy at their sites.
>
>
>Web services using client SSL certificates for user authentication
>- ------------------------------------------------------------------
>
>This vulnerability does NOT allow the attacker to steal client's SSL key
>and thus execute the man-in-the-middle attack on web services using client
>SSL certificates for user authentication. It still does, however, allow
>the attacker to place a fake server (an exact copy) and collect other
>information users provide (including the data in their client SSL
>certificates).
>
>
>TESTING RESULTS
>===============
>
>Tests were performed on:
>
>Communicator 4.72 - affected
>Communicator 4.61 - affected
>Navigator 4.07 - affected
>
>
>ACKNOWLEDGMENTS
>===============
>
>We would like to acknowledge Netscape (specifically Mr. Bob Lord and Mr.
>Kevin Murray) for prompt and professional response to our notification of
>the identified vulnerability and their help in understanding the flaw and
>"polishing" this report.
>
>We would also like to acknowledge Mr. Matthias Suencksen of Germany, who
>has discovered some aspects of this vulnerability before we did (back in
>May 1999).
>
>
>REFERENCES
>==========
>
>Netscape has issued a Security Note about this vulnerability under a title
>"The Acros-Suencksen SSL Vulnerability" at:
>
>http://home.netscape.com/security/notes/index.html
>
>
>SUPPORT
>=======
>
>For further details about this issue please contact:
>
>Mr. Mitja Kolsek
>
>ACROS, d.o.o.
>Stantetova 4
>SI - 2000 Maribor, Slovenia
>
>phone: +386 41 720 908
>e-mail: [email protected]
>
>PGP Key available at PGP.COM's key server.
>PGP Fingerprint: A655 F61C 5103 F561  6D30 AAB2 2DD1 562A
>
>
>DISTRIBUTION
>============
>
>This report was sent to:
>
>- - BugTraq mailing list
>- - NTBugTraq mailing list
>- - Win2KSecAdvice mailing list
>- - SI-CERT
>- - ACROS client mailing list
>
>
>DISCLAIMER
>==========
>
>The information in this report is purely informational and meant only for
>the purpose of education and protection. ACROS, d.o.o. shall in no event be
>liable for any damage whatsoever, direct or implied, arising from use or
>spread of this information.
>All identifiers (hostnames, IP addresses, company names, individual names
>etc.) used in examples and exploits are used only for explanatory purposes
>and have no connection with any real host, company or individual. In no
>event should it be assumed that use of these names means specific hosts,
>companies or individuals are vulnerable to any attacks nor does it mean that
>they consent to being used in any vulnerability tests.
>The use of information in this report is entirely at user's risk.
>
>
>COPYRIGHT
>=========
>
>(c) 2000 ACROS, d.o.o., Slovenia. Forwarding and publishing of this document
>is permitted providing all information between marks "[BEGIN-ACROS-REPORT]"
>and "[END-ACROS-REPORT]" remains unchanged.
>
>=====[END-ACROS-REPORT]=====
>
>II. Impact
>
>    Attackers can trick users into disclosing information (potentially
>    including credit card numbers, personal data, or other sensitive
>    information) intended for a legitimate web site, even if that web site
>    uses SSL to authenticate and secure transactions.
>   
>III. Solution
>
>Install an update from your vendor.
>
>    Appendix A lists information from vendors about updates.
>   
>If you are a DNS administrator, maintain the integrity of your DNS server
>
>    One way to exploit this vulnerability, described above, relies on the
>    ability of the attacker to compromise DNS information. If you are a
>    DNS administrator, making sure your DNS server is up-to-date and free
>    of known vulnerabilities reduces the ability of an intruder to execute
>    this type of attack. Administrators of BIND DNS servers are encouraged
>    to read
>   
>    http://www.cert.org/advisories/CA-2000-03.html
>          
>Validate certificates at each use
>
>    Despite the existence of this flaw, it is still possible to guard
>    against attempted attacks by validating certificates manually each
>    time you connect to an SSL-secured web site. Doing so will
>    substantially reduce the ability of an attacker to use flaws in the
>    DNS system to bypass SSL-authentication.
>   
>Appendix A. Vendor Information
>
>iPlanet
>
>    Information about this problem is available at
>    http://home.netscape.com/security/notes/index.html
>   
>Microsoft
>
>    None of our products are affected by this vulnerability.
>   
>    _________________________________________________________________
>   
>    The CERT Coordination Center thanks the ACROS Security Team of
>    Slovenia (Contact: [email protected]), for the bulk of the text
>    in this advisory.
>
>    _________________________________________________________________
>   
>    Shawn Hernan was the primary author of the CERT/CC portions of this
>    document.
>    ______________________________________________________________________
>   
>    This document is available from:
>    http://www.cert.org/advisories/CA-2000-05.html
>    ______________________________________________________________________
>   
>CERT/CC Contact Information
>
>    Email: [email protected]
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>          
>    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>    Monday through Friday; they are on call for emergencies during other
>    hours, on U.S. holidays, and on weekends.
>   
>Using encryption
>
>    We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>   
>    http://www.cert.org/CERT_PGP.key
>       
>    If you prefer to use DES, please call the CERT hotline for more
>    information.
>   
>Getting security information
>
>    CERT publications and other security information are available from
>    our web site
>   
>    http://www.cert.org/
>       
>    To be added to our mailing list for advisories and bulletins, send
>    email to [email protected] and include SUBSCRIBE
>    your-email-address in the subject of your message.
>   
>    * "CERT" and "CERT Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>   
>    NO WARRANTY
>    Any material furnished by Carnegie Mellon University and the Software
>    Engineering Institute is furnished on an "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied as to any matter including, but not limited to, warranty of
>    fitness for a particular purpose or merchantability, exclusivity or
>    results obtained from use of the material. Carnegie Mellon University
>    does not make any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>      _________________________________________________________________
>   
>    Conditions for use, disclaimers, and sponsorship information
>   
>    Copyright 2000 Carnegie Mellon University; portions Copyright 2000
>    ACROS, d.o.o., Slovenia.
>   
>    Revision History
>    May 12, 2000:  Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP for Personal Privacy 5.0
>Charset: noconv
>
>iQCVAwUBORxQsVFO4fmE3w/VAQHszAQAiCWcN/ZKkTBOl+hf5QrLDuHiypBqQ7N5
>TFy/ulrdc6xn25LCWDe1sQ6byXvvdi/Aduv33Zc2pnnciZvDQlF15aq22PcRhA0+
>kcDGwBqu+q19PNrfwFxQtFKwAliwvxxvUc+1vTKgY319LUJJ/lzdESK5DLeFBgmr
>PE77eUoSiAE=
>=Fl82
>-----END PGP SIGNATURE-----

-- 
Prof. Dr. Wolfgang Coy
Humboldt-Universitaet zu Berlin, Institut fuer Informatik
Unter den Linden 6, D-10099 Berlin

Tel (+49) 30 2093-3166 oder/or -3167,
Fax (+49) 30 2093-3168

http://waste.informatik.hu-berlin.de
ftp://trystero.informatik.hu-berlin.de/upload

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
   home           http://waste.informatik.hu-berlin.de/Grassmuck/
   mikro          http://www.mikro.org
   Wizards of OS  http://www.mikro.org/wos
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

----------------------------------------------------------
# rohrpost -- deutschsprachige Mailingliste fuer Medien- und Netzkultur
# Info: [email protected]; msg: info rohrpost
# kommerzielle Verwertung nur mit Erlaubnis der AutorInnen
# Entsubskribieren: [email protected], msg: unsubscribe rohrpost
# Kontakt: [email protected] -- http://www.mikro.org/rohrpost