search menu icon-carat-right cmu-wordmark

CERT Coordination Center

SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

Vulnerability Note VU#243585

Original Release Date: 2015-03-06 | Last Revised: 2015-10-27

Overview

Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. An attacker able to act as a Man-in-The-Middle (MiTM) could factor weak temporary RSA keys, obtain session keys, and decrypt SSL/TLS trafflc. This issue has been dubbed the "FREAK" (Factoring Attack on RSA-EXPORT Keys) attack.

Description

CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

CWE-326: Inadequate Encryption Strength

Some implementations of SSL/TLS accept export-grade (512-bit or smaller) RSA keys even when not specifically requesting export grade ciphers. This can occur when a MiTM attacker asks for export grade ciphers on behalf of a client, and the client insecurely accepts the export grade key. The attacker can then factor the weak RSA key and use this key to decrypt other data necessary to generate the session key. The attacker can then decrypt data in the session.

The researchers provide a more detailed explanation on their website.

Impact

The weak 512-bit "export grade" RSA keys can be factored to allow an attacker to decrypt information encrypted with these keys.

Solution

Update SSL/TLS libraries and applications

Vendors are currently working on patches to address this issue. Affected users are advised to check with the software vendor and update as soon as possible. The Vendor Status information below provides more information for each vendor.

Do not offer export grade ciphers

Configure server and client applications not to use export grade ciphers (EC).

Vendor Information

243585
 
Affected   Unknown   Unaffected

Apple

Notified:  March 06, 2015 Updated:  March 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SecureTransport is affected.

Safari web browser is affected.

Google

Notified:  March 06, 2015 Updated:  March 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

BoringSSL versions before Nov 10, 2014 are vulnerable.

Google Chrome web browser prior to version 41 on various platforms are vulnerable.
Android Web Browser is vulnerable.

Microsoft Corporation

Notified:  March 06, 2015 Updated:  March 10, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SChannel is vulnerable. Internet Explorer is also vulnerable.

A patch has been released. Please see the Microsoft Security Bulletin below.

Vendor References

https://technet.microsoft.com/library/security/MS15-031 https://technet.microsoft.com/library/security/3046015.aspx

NEC Corporation

Updated:  October 26, 2015

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-016.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/secinfo/nv15-016.html

OpenSSL

Notified:  March 06, 2015 Updated:  March 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

OpenSSL versions before 1.0.1k are vulnerable. The vulnerability in OpenSSL is tracked as CVE-2015-0204.

Opera

Updated:  March 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Opera web browsers before Opera 28 on OSX and Android are vulnerable.

Research in Motion (RIM)

Updated:  March 06, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Blackberry Browser web browser is vulnerable.

Botan

Notified:  March 06, 2015 Updated:  March 06, 2015

Statement Date:   March 06, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cryptlib

Notified:  March 06, 2015 Updated:  March 09, 2015

Statement Date:   March 08, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuTLS

Notified:  March 06, 2015 Updated:  March 06, 2015

Statement Date:   March 06, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IAIK Java Group

Notified:  March 06, 2015 Updated:  March 17, 2015

Statement Date:   March 17, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Legion of the Bouncy Castle

Notified:  March 06, 2015 Updated:  March 09, 2015

Statement Date:   March 09, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apache-SSL

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Attachmate

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Certicom

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Crypto++ Library

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nettle

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PeerSec Networks

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Spyrus

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

libgcrypt

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

mod_ssl

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

wolfSSL

Notified:  March 06, 2015 Updated:  March 05, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

View all 25 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:C/I:N/A:N
Temporal 6.4 E:F/RL:OF/RC:C
Environmental 6.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was reported by researchers from INRIA, Microsoft Research, and IMDEA.

This document was written by Garret Wassermann.

Other Information

CVE IDs: None
Date Public: 2015-03-06
Date First Published: 2015-03-06
Date Last Updated: 2015-10-27 02:15 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.