Another SSL/TLS vulnerability has everyone FREAKing out again
On March 3, 2015 researchers disclosed a new secure sockets layer (SSL)/transport layer security (TLS) vulnerability (CVE-2015-0204), dubbed “FREAK”, which is an acronym for “Factoring attack on RSA-EXPORT Keys”. This vulnerability allows attackers to intercept hypertext transfer protocol secure (HTTPS) connections between a vulnerable client and server. Once the connection has been intercepted an attacker can force the connection to use ‘export-grade’ cryptography, which can then be easily decrypted or altered.
You might be asking, “How did this happen?” and it seems to point back to the 1990s, when the U.S. government implemented a policy to stop export of strong cryptography products to other countries. Due to this restriction, many vendors had to implement the use of smaller keys to be compliant to the export requirements of a maximum of 512-bit RSA keys limitation.
A server is vulnerable if it accepts ‘RSA_EXPORT’ cipher suites and the client either offers the ‘RSA_EXPORT’ suite or is using OpenSSL version 1.01k or earlier. Some of the popular vulnerable clients include Windows Internet Explorer, many Android (using the built in browser) and Apple (using the Safari browser) devices, some embedded systems, and a range of other software products. Current versions of Google Chrome and Firefox are not vulnerable.
The easiest way to remediate this vulnerability on a server is to upgrade to the latest TLS libraries. If running OpenSSL upgrade to version 1.02, Microsoft is working on a fix for Secure Channel (SChannel) and has published some workarounds in the security advisory 3046015. Many of browser vendors are already working on a fix, and some have already pushed updates. The table below show the vulnerable versions and if available a status on updates.
University of Michigan researchers have put up a website that will identify whether your browser is vulnerable and offers additional information about the attack.
The website also has a breakdown of identified vulnerable systems found on the Internet:
Along with a listing of the Alexa Top 10K websites that are vulnerable (Tuesday, March 3, 9:00 PM EST), and some of the identified vulnerable sites include: Groupon.com, Americanexpress.com, Marriott.com, JCPenney.com, JCrew.com. It has also been identified that multiple government websites are vulnerable to include whitehouse.gov and www.NSA.gov.
Sword & Shield experts advise companies to keep their system patches updated. We can help you manage these needs through either our Managed Security Services Program or our Virtual Security and Compliance Consultant.