Issue

Transport Layer Security (TLS) is a protocol that is used for establishing a secure connection between a client and a server.  A TLS renegotiation man-in-the-middle (MITM) attack has been disclosed by Marsh Ray of PhoneFactor that allows an attacker to inject attacker-chosen plain text as a prefix to a victim's session:

http://extendedsubset.com/?p=8

Resolution

Red Hat is aware of the issue and is tracking it via:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555

The reported issue is a TLS / SSL protocol flaw, and not a bug of any specific implementation. The issue therefore affects all protocol implementations; for Red Hat Enterprise Linux this includes openssl, nss, and gnutls packages.

This issue has been rated as having moderate security impact as successful exploitation of this flaw requires a man-in-the-middle attack.

This issue is planned to be addressed via a new protocol extension to TLS. The RFC draft for such extension is still under review by IETF TLS working group and the works on its implementation are in progress. Red Hat is currently considering other temporary workarounds that could be used before the final resolutions are available.

To date, practical attacks using this flaw were only descirbed for HTTPS. Both mod_ssl and mod_nss modules for httpd web server allow clients to preform session renegotiation at any time, therefore the attack may be used against any HTTPS server using those modules. The impact depends on web application deployed on the server and its Cross Site Request Forgery (CSRF) attack protections. There are currently no known methods to detect the attack on the client side without fully enforcing new TLS extension, any web browser can be targetted by this attack.

We are currently not aware of attacks against other application protocols, but they may be discovered during the future research.

Mitigation updates

Updated httpd packages were released that change mod_ssl to reject all client-initiated renegotiations, which mitigates this flaw for the majority of configurations using mod_ssl to provide HTTPS service. However, an attack is still possible in configurations where server-initiated renegotiations are required.

Configurations still affected by the issue are typically where:

• Client certificates authentication is used for some part of the site, but is not required by default. This happens when "SSLVerifyClient require" is configured in a <Location> or <Directory> context section, but not in the corresponding <VirtualHost> for the SSL server.
• Different cipher suites are required for different parts of the web site. Cipher suite requirements can be configured per-server or per-directory context using the SSLCipherSuite directive.

Server-initiated renegotiations can be avoided by:

• Changing the site layout such that a client certificate authentication is required for the whole site, rather than only a part; in other words, that "SSLVerifyClient" is used only when directly inside a <VirtualHost> section.
• Using the same cipher suite for the whole site. The highest cipher strength requirement of all directories and locations should be set in the <VirtualHost> section.

The httpd packages errata for Red Hat Enterprise Linux 3, 4, and 5, released on November 11th, 2009:

https://rhn.redhat.com/errata/RHSA-2009-1579.html

https://rhn.redhat.com/errata/RHSA-2009-1580.html

We will update this article and the bug as more information becomes available.