Prevent SSL LUCKY13

LUCKY13 is a timing attack can be used against implementations of the TLS protocol using the cipher block chaining mode of operation. The vulnerability affects the TLS 1.1 and 1.2 specification as well of certain forms of earlier versions.

Security Assessment

Security_Assessment_PreventSSLLUCKY13

CVSS Vector: AV:N/AC:H/AU:N/C:P/I:N/A:N

Vulnerability Information

LUCKY13 is a timing attack can be used against implementations of the TLS protocol using the cipher block chaining mode of operation. The vulnerability affects the TLS 1.1 and 1.2 specification as well of certain forms of earlier versions. The attack allows a full plaintext recovery for OpenSSL. Therefore an attacker exploiting this vulnerability is able to read the plaintext of an TLS encrypted session. The attack is a more advanced padding oracle which exploits different calculation times depending on the plaintext being padded with one or two bytes or containing an incorrect padding.

 

SSL LUCKY13

Timing Attack results for long (red) and short (blue) fake padding (AlFardan & Paterson, 2013).

Under best circumstances, an attacker needs 2¹³ TLS sessions to recover one plaintext byte. The attacker needs to be close to the target (i.e. in the same network as the webserver) to reduce any noice and perform the timing attack. Therefore a successful attack relies on external attack conditions, it does not pose a significant threat to normal TLS usage. However the attack has shown new flaws in the CBC ciphersuites. As there exist new and better ciphers, mitigation can be easily achieved.

Guides

Several countermeasures for the LUCKY13 attack exist. Most importantly (and easy to implement), no CBE ciphersuites should be used. Instead use AEAD ciphersuites such as AES-GCM. The support for this ciphers was introduced in TLS 1.2. More information about the ciphers can be found in the article regarding Secure TLS Configuration. To prevent the LUCKY13 attack, use the following TLS configuration.

Apache

With apache, the SSL/TLS configuration is stored in /etc/apache2/mods-enabled/ssl.conf. If you use Let's Encrypt, the configuration may reside in /etc/letsencrypt/options-ssl-apache.conf. To enable only ciphers with high encryption and recent protocols set:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off

Then reload the Apache server configuration.

Note, that this limits the cipher suites and protocol version to recent SSL/TLS versions which might exclude users with older browsers.

Nginx

For Nginx, update the configuration file which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS). Add the following directive to the server section:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

Then restart the Nginx server.

Note, that this limits the cipher suites and protocol version to recent SSL/TLS versions which might exclude users with older browsers.

For more information about Crashtest Security visit crashtest-security.com