Hacking

Decrypting TLS connections with new Raccoon Attack

Boffins devised a new timing attack, dubbed Raccoon that could be exploited by threat actors to decrypt TLS-protected communications.

Security researchers from universities in Germany and Israel have disclosed the details of a new timing attack, dubbed Raccoon, that could allow malicious actors to decrypt TLS-protected communications.

The timing vulnerability resides in the Transport Layer Security (TLS) protocol and hackers could exploit it to access sensitive data in transit.

The Raccoon Attack is a server-side attack that exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) which allows the attackers to extract the shared secret key used to secure communications.

“Raccoon is a timing vulnerability in the TLS specification that affects HTTPS and other services that rely on SSL and TLS.” reads the post published by the researchers on a dedicated web site. “Raccoon allows attackers under certain conditions to break the encryption and read sensitive communications.”

Fortunately, the flaw is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable.

“We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary.” states the research paper.We show that due to a subtle issue in the key derivation
of all TLS-DH(E) cipher suites in versions up to TLS 1.2,
the premaster secret of a TLS-DH(E) session may, under
certain circumstances, be leaked to an adversary.

“The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem.”

The researchers explained that to defeat the encryption used to protect communications, the attackers have to record the handshake messages between a client and server, then use the acquired data to initiate new handshakes to the same server and measure the time it takes for the server to respond to the operations involved in deriving the shared key.

“For each handshake, the attacker measures the response time of the server. For some modulus sizes, DH secrets with leading zeroes will result in a faster server KDF computation, and hence a shorter server response time.” continues the paper.

Assuming the above scenario, the attacker could decipher the secret key of the original handshake and use it to decrypt the TLS traffic.

The researchers explained that multiple older versions of F5 BIG-IP products are vulnerable to a variant of the attack (CVE-2020-5929) without resorting to timing measurements by directly observing the contents of server responses.

Is TLS 1.3 also affected? The response is negative because in TLS 1.3, the leading zero bytes are preserved for DHE cipher suites and keys reuse is not allowed.

“However, there exists a variant of TLS 1.3, which explicitly allows key reuse (or even encourages it), called ETS or eTLS. If ephemeral keys get reused in either variant, they could lead to micro-architectural side channels, which could be exploited, although leading zero bytes are preserved. We recommend not using these variants.” state the researchers.

The good news is that F5, Microsoft, Mozilla, and OpenSSL have already released security patches to address the vulnerability.

“Our attack exploits the fact that servers may reuse the secret DH exponent for many sessions, thus forgoing forward secrecy,” the researchers concluded.

“In this context, Raccoon teaches a lesson for protocol security: For protocols where some cryptographic secrets can be continuously queried by one of the parties, the attack surface is made broader. The Raccoon attack showed that we should be careful when giving attackers access to such queries.”

The experts plan to release a tool to check if a server is vulnerable to Raccoon attack. Waiting for the tool, they recommend to use the Qualys’ SSL Server Test, in case the result of “DH public server param (Ys) reuse” is “yes” the server could be affected.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Raccoon)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.