March 4, 2015

Posted in:


The FREAKing Heartbleed Continues… Another OpenSSL Issue Discovered

SSL IconOn March 3, 2015, researchers in France went public with another OpenSSL vulnerability. In 2014, significant vulnerabilities were discovered in OpenSSL, publicized and socialized by the names “POODLE” and “HEARTBLEED.” This current vulnerability is identified as “FREAK,” or Factoring RSA Export Keys.

The current vulnerability (FREAK) seeks to exploit an old technology requirement. In the 1990’s the U.S. State Department identified that encryption was a weapon and therefore limited the export of certain types and algorithms to certain foreign countries. To comply with these requirements, manufacturers of webservers and operating systems designed their systems that allowed for the downgrade of encryption strength and algorithms to an acceptable export model. That is now coming back to bite some, older and unpatched installations.

What is FREAK?

“FREAK” is an exploit that takes advantage of weak and insecure encryption algorithms. Specifically, the exploit of the client side vulnerability will force the server to use old “export grade” cryptography. Unlike “POODLE” and “HEARTBLEED”, where the vulnerability was primarily on the server side, the “FREAK” vulnerability is primarily within the client browser side. In addition, it requires a much more sophisticated and directed attack method. Specifically, the attacker will hijack a client side browser communication, force the encryption into a lesser mode, steal the key and then use another system to attack crack the key. Once cracked, the key can be used to access the server and server communications streams that would otherwise be encrypted.

If you are using the Apple Safari browser on any device or the Chrome browser on a mobile device (only), and using these out in public, then an attacker could zero in on your device, intercept your communications and exploit a vulnerable server.

Am I Vulnerable?

The good news is that if your server was recently patched for the “POODLE” or “HEARTBLEED” vulnerabilities, or is otherwise hardened, all indications are that your website is not susceptible to this attack. Apple and Google are looking to provide patches for the client side devices and applications within the coming week. Also good news is that OpenSSL is not natively on Microsoft Windows servers (unless you use a browser on your server to browse webpages which is not recommended practice). The browsers on a server fall under the same vulnerabilities as would be found on a computer. For more information, see Microsoft’s Security article on the subject: https://technet.microsoft.com/en-us/library/security/3046015

However, not all versions of software could be patched for the “POODLE” and “HEARTBLEED” vulnerabilities. In particular, RedHat v5 and lower are not patchable (due to end of life cycles). Therefore, if you are running these versions you should consider an upgrade to RHEL6 or RHEL7.

To determine if you are really vulnerable or not, there are a few ways to find out, as listed below. Before trying any of these though, ask yourself if your site even communicates in an encrypted manner. Some sites, like a blog site for example, simply do not or do not need to communicate with encryption and thus would not be vulnerable.

  1. Non-Geek Method
    1. Navigate to the SSL Labs site
    2. Enter your domain name (e.g. customername.com)
  2. The geek method:
    1. Log into your server
    2. Determine the version of your operating system / web server. On the command line, type:
      rpm -qa | grep openssl
    3. If this reports back an unsupported version, then you are vulnerable. The supported versions are available here: https://access.redhat.com/security/cve/CVE-2015-0204

I have determined I am vulnerable, what now!?!?!?

There are three options to fix this from a server side:

  1. If you can, upgrade to RHEL6 or RHEL7. This is not something you can do today, generally speaking. But you should plan for this in the future.
  2. If you can apply patches that should have been previously applied for “POODLE” and “HEARTBLEED,” do so. This will solve your problem.
  3. Harden the server by shutting down unneeded encryption algorithms. This Mozilla site can assist you with determining the proper settings.
    1. Open this site
    2. Select your web server (Apache is most common)
    3. Select Modern (profile)
    4. Apply the configuration that is presented

This guide here is provides additional guidance regarding this method.

Conclusion:

This particular vulnerability requires a client and does require significant effort on the part of the attacker. It is not as dangerous as the “POODLE” and “HEARTBLEED” scenarios of a year ago. It should, however, be taken care of to ensure that your site is secure.

Go back