Researchers from universities in Germany and Israel have disclosed the details of a new timing attack that could allow malicious actors to decrypt TLS
Researchers from universities in Germany and Israel have disclosed the details of a new timing attack that could allow malicious actors to decrypt TLS-protected communications.
Named “Raccoon,” the attack has been described as complex and the vulnerability is “very hard to exploit.” While most users should probably not be concerned about Raccoon, several major software vendors have released patches and mitigations to protect customers.
Raccoon can allow a man-in-the-middle (MitM) attacker to crack encrypted communications that could contain sensitive information. However, the attack is only successful if the targeted server reuses public Diffie-Hellman (DH) keys in the TLS handshake (i.e. the server uses static or ephemeral cipher suites such as TLS-DH or TLS-DHE), and if the attacker can conduct precise timing measurements.
“The attacker needs particular circumstances for the Raccoon attack to work,” the researchers wrote on a website dedicated to the Raccoon attack. “He needs to be close to the target server to perform high precision timing measurements. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection.”
“For a real attacker, this is a lot to ask for. However, in comparison to what an attacker would need to do to break modern cryptographic primitives like AES, the attack does not look complex anymore. But still, a real-world attacker will probably use other attack vectors that are simpler and more reliable than this attack,” they explained.
The underlying vulnerability has existed for over 20 years, and it was fixed with the release of TLS 1.3.
Since this is a server-side vulnerability, there isn’t anything that clients can do to prevent attacks, except for ensuring that their web browsers don’t use the problematic cipher suites — the most popular web browsers no longer use them.
On the other hand, the researchers have pointed out that the timing measurements may not be necessary to launch an attack if there is a certain type of bug in the targeted software. One example is F5 Networks’ BIG-IP application delivery controller (ADC).
F5 Networks, which tracks the flaw as CVE-2020-5929, has released a patch. Mozilla has assigned the vulnerability CVE-2020-12413 and disabled the DH and DHE ciphers in Firefox 78, but this move was planned before the Raccoon attack was discovered.
Microsoft has released an update for Windows to address the vulnerability, and OpenSSL, which has assigned the issue a low severity rating, has published an advisory describing impact and mitigations.
However, even if the timing requirements are bypassed, a server still needs to reuse DH keys for the attack to work. An analysis conducted by the researchers showed that over 3.3% of the servers hosting the Alexa top 100,000 websites reuse keys.
Additional details on the Raccoon attack are available on raccoon-attack.com. The researchers also plan on releasing a tool that can be used to check if a server is vulnerable. In the meantime, they recommend Qualys’ SSL Server Test — a server could be affected if the result of “DH public server param (Ys) reuse” is “yes.”