Security

CVE-2016-2107 OpenSSL Flaw still affects many Alexa Top Sites

According to the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable to the OpenSSL flaw CVE-2016-2107.

The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

According to the experts, the flaw affects the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.

“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same  bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”

The flaw was patched in early May with the release of the versions 1.0.2h and 1.0.1t, but according to an analysis conducted by the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable.

“The bad news is that support of the AES CBC cipher is widely recommended for compatibility reasons, required by TLS 1.2 RFC and recommended by NIST guidelines. AES CBC cipher is also considered the strongest cipher for TLS 1.0 and TLS 1.1,” states a blog post published by the High-Tech Bridge.

The experts made a quick and non-intrusive research on the Alexa Top 10’000 most visited websites, e-commerces and social platforms searching for presence and exploitability of the OpenSSL CVE-2016-2107 vulnerability.

The researchers used a free SSL/TLS server test specifically designed to automate the research and perform the checks for the existence of CVE-2016-2107.

“We used our free SSL/TLS server test to automate the following checks for each company from the Alexa list:”

Website HTTPS test (port 443)

– Email server SSL, TLS and STARTTLS test (hostname/port):

mail.company.com 25, 110, 143, 465, 587, 993, 995
imap.company.com 143, 993
pop.company.com 110, 995
pop3.company.com 110, 995
smtp.company.com 25, 465, 587

The results are disconcerting, many websites on the web are exposed to MiTM attacks, web or email servers associated with 1,829 (19.29 percent) of the top websites had been both vulnerable and exploitable.

“To our surprise, quite a lot of the most popular resources of the Internet were discovered vulnerable. Here are the results:”

  • Not vulnerable: 6258 (62.58%)
  • Not exploitable: 1913 (19.13%)
  • Vulnerable and exploitable: 1829 (18.29%)

“Taking into consideration that the vulnerability can be exploited in practice and allows stealing user data, credentials, financial and personal information, such results are pretty disappointing,” continues the analysis.

If you want to test your server against the CVE-2016-2107 flaw you can use the SSL/TLS server test.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – OpenSSL, encryption)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

5 hours ago

SocGholish malware used to spread AsyncRAT malware

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the…

15 hours ago

UK police arrested a 17-year-old linked to the Scattered Spider gang

Law enforcement arrested a 17-year-old boy from Walsall, U.K., for suspected involvement in the Scattered…

20 hours ago

Security Affairs Malware Newsletter – Round 3

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago

U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and…

2 days ago

This website uses cookies.