Boffins devised a new timing attack, dubbed Raccoon that could be exploited by threat actors to decrypt TLS-protected communications.
Security researchers from universities in Germany and Israel have disclosed the details of a new timing attack, dubbed Raccoon, that could allow malicious actors to decrypt TLS-protected communications. The timing vulnerability resides in the Transport Layer Security (TLS) protocol and hackers could exploit it to access sensitive data in transit.
The Raccoon Attack is a server-side attack that exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) which allows the attackers to extract the shared secret key used to secure communications.
“Raccoon is a timing vulnerability in the TLS specification that affects HTTPS and other services that rely on SSL and TLS.” reads the post published by the researchers on a dedicated web site. “Raccoon allows attackers under certain conditions to break the encryption and read sensitive communications.”
Fortunately, the flaw is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.
“We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary.” states the research paper.
“The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem.”
The researchers explained that to defeat the encryption used to protect communications, the attackers have to record the handshake messages between a client and server, then use the acquired data to initiate new handshakes to the same server and measure the time it takes for the server to respond to the operations involved in deriving the shared key.
“For each handshake, the attacker measures the response time of the server. For some modulus sizes, DH secrets with leading zeroes will result in a faster server KDF computation, and hence a shorter server response time.” continues the paper.
Assuming the above scenario, the attacker could decipher the secret key of the original handshake and use it to decrypt the TLS traffic.
The researchers explained that multiple older versions of F5 BIG-IP products are vulnerable to a variant of the attack (CVE-2020-5929) without resorting to timing measurements by directly observing the contents of server responses. Is TLS 1.3 also affected? The response is negative because in TLS 1.3, the leading zero bytes are preserved for DHE cipher suites and keys reuse is not allowed.
“However, there exists a variant of TLS 1.3, which explicitly allows key reuse (or even encourages it), called ETS or eTLS. If ephemeral keys get reused in either variant, they could lead to micro-architectural side channels, which could be exploited, although leading zero bytes are preserved. We recommend not using these variants.” state the researchers.
The good news is that F5, Microsoft, Mozilla, and OpenSSL have already released security patches to address the vulnerability.
“Our attack exploits the fact that servers may reuse the secret DH exponent for many sessions, thus forgoing forward secrecy,” the researchers concluded.
“In this context, Raccoon teaches a lesson for protocol security: For protocols where some cryptographic secrets can be continuously queried by one of the parties, the attack surface is made broader. The Raccoon attack showed that we should be careful when giving attackers access to such queries.”
The experts plan to release a tool to check if a server is vulnerable to Raccoon attack. Waiting for the tool, they recommend to use the Qualys’ SSL Server Test, in case the result of “DH public server param (Ys) reuse” is “yes” the server could be affected.