20th Feb 2003 [SBWID-6003]
COMMAND
	openssl timming attack to obtain plaintext of SSL/TLS communication
SYSTEMS AFFECTED
	 openssl-0.9.7-20030111
	 openssl-0.9.7-1.2.0  
	 openssl-0.9.6g-1.1.0
	
	Affected Releases:   Dependent Packages:
	OpenPKG CURRENT      apache cadaver cpu curl dsniff easysoap ethereal
	                     exim fetchmail imap imapd inn linc links lynx mico
	                     mixmaster mozilla mutt nail neon openldap openvpn
	                     perl-ssl postfix postgresql qpopper samba sendmail
	                     siege sio sitecopy socat stunnel subversion sysmon
	                     w3m wget
	OpenPKG 1.2          apache cpu curl ethereal fetchmail imap inn
	                     links lynx mico mutt nail neon openldap perl-ssl
	                     postfix postgresql qpopper samba sendmail siege
	                     sitecopy socat stunnel sysmon w3m wget
	OpenPKG 1.1          apache curl fetchmail inn links lynx mutt neon
	                     openldap perl-ssl postfix postgresql qpopper samba
	                     siege sitecopy socat stunnel sysmon w3m
	
PROBLEM
	From OpenPKG Security Advisory
	
	 http://www.openpkg.org/security.html
	
	In an upcoming CRYPTO 2003 paper, Brice  Canvel  (EPFL),  Alain  Hiltgen
	(UBS),  Serge  Vaudenay  (EPFL),  and  Martin  Vuagnoux  (EPFL,   Ilion)
	describe and demonstrate a  timing-based  attack  on  SSL/TLS  with  CBC
	ciphersuites.  According  to  an  OpenSSL  security  advisory  [0],  the
	OpenSSL  implementation  is  vulnerable  to  this  attack.  The   Common
	Vulnerabilities  and   Exposures   (CVE)   project   assigned   the   id
	CAN-2003-0078 [2] to the problem.
	The attack assumes that multiple SSL/TLS connections  involve  a  common
	fixed plaintext block, such  as  a  password.  An  active  attacker  can
	substitute specifically made-up ciphertext blocks  for  blocks  sent  by
	legitimate SSL/TLS  parties  and  measure  the  time  until  a  response
	arrives. SSL/TLS  includes  data  authentication  to  ensure  that  such
	modified ciphertext blocks  will  be  rejected  by  the  peer  (and  the
	connection aborted),  but  the  attacker  may  be  able  to  use  timing
	observations to distinguish between two different  error  cases,  namely
	block cipher padding errors and MAC verification errors.
	This is sufficient for an adaptive attack that finally  can  obtain  the
	complete plaintext block. Although  this  cannot  be  easily  exploited,
	because the attack requires  the  ability  to  be  a  man-in-the-middle,
	repeated communications that have a  common  plaintext  block,  decoding
	failures not signaling problems on the client and  server  side,  and  a
	network between  the  attacker  and  the  server  sufficient  enough  to
	reasonably observe timing differences.
	OpenSSL version since  0.9.6c  supposedly  treat  block  cipher  padding
	errors like MAC verification errors during record  decryption  [1],  but
	MAC verification was still skipped after detection of a  padding  error,
	which allowed the timing attack.
	Please check whether you are affected  by  running  "<prefix>/bin/rpm
	-q openssl". If  you  have  the  "openssl"  package  installed  and  its
	version is affected (see  above),  we  recommend  that  you  immediately
	upgrade it (see Solution) and it's dependent packages  (see  above),  if
	any, too. [3][4]
	 Update (26 March 2003)
	 ======
	Martin Vuagnoux [www.ilionsecurity.ch] adds :
	Here you can find the tool used to make a "proof  of  concept"  for  the
	Vaudenay's TLS Timing Attack for <  OpenSSL/9.7a.  (CAN-2003-78)  BID
	REF: 6884
	
	                            http://omen.vuagnoux.com
	
	This  attack  was  tested  on  a  IMAPrev4  server  (WU)  encapsuled  by
	stunnel-3.22 using OpenSSL/9.7 and Microsoft Outlook  Express  6.x  IMAP
	client.
SOLUTION
	Updates are available to all  vulnerable  package.  Check  you  specific
	distributions.
	References:
	
	  [0] http://www.openssl.org/news/secadv_20030219.txt
	  [1] http://www.openssl.org/~bodo/tls-cbc.txt
	  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
	  [3] http://www.openpkg.org/tutorial.html#regular-source
	  [4] http://www.openpkg.org/tutorial.html#regular-binary
	  [5] ftp://ftp.openpkg.org/release/1.1/UPD/openssl-0.9.6g-1.1.1.src.rpm
	  [6] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.1.src.rpm
	  [7] ftp://ftp.openpkg.org/release/1.1/UPD/
	  [8] ftp://ftp.openpkg.org/release/1.2/UPD/
	  [9] http://www.openpkg.org/security.html#signature