CVE-2023-25000
This article discusses the
technicalities of CVE-2023-25000, a timing
side-channel vulnerability I discovered in Hashicorp Vault. From the official
advisory:
HashiCorp Vault’s implementation of Shamir’s secret sharing used
precomputed table lookups, and was vulnerable to cache-timing attacks. An
attacker with access to, and the ability to observe a large number of
unseal operations on the host through a side channel may reduce the
search space of a brute force effort to recover the Shamir shares. This
vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5,
and 1.11.9.
Read more
One of the most important breakthroughs of recent years
in the field of network security was the revival of the original
Kaminsky's cache poisoning attack by Keyu Man et al.: thanks to a
side-channel affecting the ICMP rate limit in the Linux kernel network
stack, the technique showed how it was possible to unveil the source port
of the UDP request initiated by a DNS resolver towards the name server.
The original attack by Dan Kaminsky exploited the small space of random
transaction IDs, $2^{16}$, to bypass the bailiwick rule which prevented
rogue glue records from being cached. The fix at the time introduced
yet more $2^{16}$ bits of randomness by requiring that all source ports of UDP
requests initiated by the resolver be randomized. The SADDNS attack
demonstrated that the randomized port could be discovered by leveraging
the side-channel in order to infer which initiated UDP
ports are effectively open during a port scan, therefore reducing again
the effort to mount the cache poisoning. Indeed, due to the fact that the
UDP protocol is connection-less, when the resolver initiates the
requests, anybody knowing the source port number could send datagrams to
the underlying socket, by using the source port as the destination. "Private" UDP sockets
are also susceptible of this behavior, with the additional requirement
that the illegitimate datagrams must spoof the legitimate IP address the
resolver formerly contacted. The side channel, and a few more that were
discovered by the same group, were promptly fixed by the kernel team by
randomizing the way the rate limit counter was incremented. Regardless of
the means by which it was deployed, the technique brought to attention once again
the importance of randomized source ports of the client-side UDP requests,
since they represent the one half of the randomness required
to thwart the original cache poisoning attack, the other half being the
transaction IDs.
With this last observations in mind, I decided to go code
spelunking through CoreDNS source code...
Read more
IAIK-JCE is a provider for the Java Cryptography Extension that,
according to the vendor, "supplements the security functionality
of the default JDK". It is a commercial product developed by Stiftung Secure Information
and Communication Technologies, a spin-off of the Institute for
Applied Information Processing and Communication” (IAIK) of the
University of Graz. The company is kind enough to offer a full,
free evaluation version for any non-commercial use.
By observing the behavior of the latest version (5.60 as of today), one can get
a glimpse of how the major cryptographic algorithms are implemented. This
process led me to the discovery of a subtle vulnerability in the
implementation of the DSA algorithm: the way that some of the computations
involved in the signature generation are carried out introduces a side
channel that leaks timing information from the observation of which an
attacker could potentially recover the private key.
Read more
Consider the following:
Problem 1:
Given a set of randomly selected
RSA numbers, estimate the portion
of numbers whose composing primes both belong to the residue class
.
Attempting to solve this apparently innocent problem will allow us
to range over a few interesting ideas from different disciplines.
It is important to first identify the constraints of the problem,
since it clearly inquires about mathematical objects whose scope
intersects with the domain of security: we shall define an RSA
number to be any odd semiprime for which we do not directly observe
neither its composing primes nor any kind of property about them.
This definition easily applies to the public key moduli of RSA
certificates, for instance.
Under this setting, the problem basically asks whether it is
possible to infer some kind of information about objects that
are kept secret; in other words, although it is generally not possible
to reconstruct the underlying factors, could we at least classify
them into well-defined categories by interacting with the observables
only? That is, given a set of ,
could one state anything at all about both and
by observing only the s?
Read more
Or, programming in the way of Diogenes
Let's imagine one is assigned the problem of finding duplicate
RSA moduli in all publicly available SSL certificates on the Internet,
the reason being a census of public hosts sharing the
same modulus.
Most of the time, if not always, having the same modulus equates
to saying that the certificates share the same public key, the
latter being the tuple composed of the public exponent and the
modulus. Indeed, the public exponent is often chosen between the
values 3, 17 and 2^16 + 1, as this leads to fast exponentiation
operations. Therefore, under this conditions, it is the modulus to
be responsible for the uniqueness of the public key.
In this setting, the certificates fall into three distinct sets
that, from a security standpoint, delineate a simple yet interesting
threat model.
The first one is the set of all the certificates for which no
duplicates occur; the second is the set of all the certificates
with shared moduli/public keys belonging to the same organization.
The third and most interesting one is the set of all those duplicates
that appear to belong to different, unrelated actors.
The assumptions under which the latter two sets are meant, which
hence form the basis of the model, are those where an entry in the
third set would represent a concrete threat to
those parties whose modulus is non-unique; while an entry
in the second set, although not representative of best-practices,
could be more easily justified as the result of key or certificate
reusage, a common custom on the Internet.
Read more
An account of CVE-2018-5548
Sometimes a technical discipline manages to reach the point of providing
the wrong answers to the right problems, as in the case of what is
commonly misnamed Software Engineering. It may also happen that
a whole industry is built on the belief that no answers to the wrong
problems is a profitable strategy to respond to the demanding needs of
an ever-growing customer base. Historically, such a case is exemplified
by the infosec industry. It's a sterile exercise to acknowledge that the industry has
reached the point where flame wars about irresponsible disclosure,
embargos and branded vulnerabilities are the major pillars of its dialectic.
Thirty years after the Morris Worm, we are still dealing with
WannaCry, after all.
My little personal contribution to the gallery of infosec failures is
the discovery of a vulnerability in F5 BIG-IP.
The vulnerability has been assigned CVE-2018-5548.
Read more
I once found myself in the oppressive situation in which
the only interaction with the underlying machine was
through a rather restrictive application delivered as
an X11-forwarded GUI communicating with a
SAP database named
Sybase ASE. The interaction was only in the form of
insertion of text into input fields. The majority of these input fields
only allowed for thirty-two-characters-long strings but there
were exceptions depending on the context. Also, a sanitization
mechanism was in place, transforming all characters to uppercase,
truncating input at the occurrence of spaces, stripping single quotes
and escapes other metacharacters. The only feedback from the database
was in the form of error messages.
Within such restricted environments the artist finds the liminal space for self-expression.
Read more
Or, "A Secret You Own is a Secret You Pwn".
Safenet MobilePass is a software OTP token from Gemalto that,
in its most used configuration, serves as a two-factor authentication
solution for webmail portals. Unfortunately, as it is often the case
with this kind of solutions, rather than being of any use at all, they
show up as an obstacle to usability and personal freedom. Not only
does the token introduce the need to remember yet another PIN code
for which up to three failed insertion attempts are tolerated, after
which the prospect of an account lock becomes painfully concrete, but it
also requires a smartphone or a Windows installation in order to run.
As there is no place in my life for such diversions, I once found
myself in the absurd situation of not being able to access my email.
When the right to communicate, access one's own data, and carry out
working tasks, lie on the assumption of expensive gadgets or
unusable proprietary software as being the norm, it means that an abuse
against a minority is being perpetrated. This assumption would equate to
the situation of being denied the right to speak in a foreign country
just because we have no interest in learning the local language. As an
instrument of oppression, I then declared Safenet MobilePass as my enemy
to the sabotage and subversion of which I dedicated all the efforts of
one of my weekends. When the machine oppresses, break the machine.
Read more
A form of self improvement can be found in attempting to implement
algorithms, no matter how simple, in less conventional programming
languages. This kind of activity can sometime lead to the same
enlightenment experienced in solving the best linguistic riddles: our
personal boundaries are broadened by a transversal understanding, as
opposed to cognitive experiences circumscribed to a defining set of rules
(logical or mathematical puzzles, for instance). I currently regard APL as
one of the best programming languages with which to explore new approaches
to problem solving; its highly compositional power combined with the
orthogonality of its rich set of operators enable the programmer to focus
her efforts on the problem itself rather than struggling with the
limitations or the burdens imposed by the language peculiarities.
Read more
In order to run the GNU APL
interpreter on OpenBSD, that to the best of my knowledge seems to be
one of the very few free
APL interpreters
available, I created a port that I currently mantain and that will be part
of the next OpenBSD release (by the time of this writing is planned to be
the 6.2). I also packaged
Adrian Smith's original
fonts, which are now a dependency of the GNU APL package.
For the time being I host both ports on my home page as well.
Read more