OpenSSL Alternative Chains Certificate Forgery Security Bypass Vulnerability

By Venkatesh Chinta

1) SSL

2) OpenSSL

3) Digital Certificates

4) Certificate Authentication

5) Certificate Chains

6) Vulnerability in OpenSSL

7) Countermeasures

Index

SSL

What is SSL?

It is used to keep sensitive information sent across the Internet is encrypted, so that only the intended recipient can understand it.

Example:

Cipher-Suites

Key Exchange Algorithm Ex: RSA, Diffie-Hellman, ECDH and etc.

It is used to determine if and how the client and server will authenticate during the handshake.

Encryption Algorithm Ex: AES, 3DES and etc.

It is used to encrypt the data between two client and server.

Message Authentication Ex: MD5,SHA and etc.

It is used to provide integrity to data between client and server.

OpenSSL

A toolkit implementing SSL v2/v3 and TLS protocols with full-strength cryptography world-wide.

Digital Certificates

Public-Key Cryptography

Scenario

Digital certificates are electronic credentials that are used to assert the online identities of individuals, computers, and other entities on a network.

Digital certificates function similarly to identification cards such as passports and drivers licenses.

Public-Key Certificate Validation Process

Windows maintains a database of CA’s1)Microsoft2)VeriSign3)Global-Signand lot of CA certificates

Microsoft Publisher

Operating System

Certificates in our Windows OS

Trust Validation

ABCRoot Certificate (Server)

ABCRoot Certificate

(Client)

Trust Established

ABCRoot Certificate (Server)

NoABC Root Certificate in Client OS

Un-trusted

Certificates in SSL

Certificate Chains

CA1

CA3

CA2

Alice

Bob

Public key of CA2

CA1

Public key of CA3

CA2

Public key of Bob

CA3

When Alice wants to check the authenticity of Bob’s public key she must verify each link in the chain:

Scenario

Vulnerability in OpenSSL

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.

An error in the implementation of this logic can mean that an attacker could causecertain checks on un-trusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.

The issue, which was reported to OpenSSL on June 24 , 2015 by Adam Langley and David Benjamin of Google/Boring-SSL, is known to affect versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. It can be used to compromise any application that verifies certificates including SSL and TLS.(CVE ID: 2015-1793)

Exploit Available at: https://www.rapid7.com/db/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy

Attack Scenario

Attacker

1) Example.comCertified by Global Sign(Private Key, Public Key)

AttackerVictim

www.bank.comCertified by Global Sign(Private key, Public Key)

2) Man in the Middle Attack Launched

3) Victim tries a SSL to bank.com

4) Attacker Signs Bank Certificate using his private key

and address is example.com/cert.crt

5)Victim Checks the Certificate ,Chain validation is failed

and constructs alternative Chains

6) Alternate Chains construct new certificates based on url (retrieves attacker certificate) sent by attacker. External, Trusted Certificates also retrieved. Certificate Chain Created.

7) Session Compromised

Countermeasures

1) Update OpenSSL to latest versions

2) Verify certificates by CA flag when creating new certificates.

Thank You