• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Vulnerabilities   »   FREAK Vulnerability Forces Weaker Encryption

FREAK Vulnerability Forces Weaker Encryption

  • Posted on:March 4, 2015 at 1:54 pm
  • Posted in:Vulnerabilities
  • Author:
    Trend Micro
1

Security researchers and news outlets are reporting about a newly discovered vulnerability believed to exist since the 90s. This vulnerability, dubbed as FREAK (Factoring RSA Export Keys), forces a secure connection to use weaker encryption—making it easy for cybercriminals to decrypt sensitive information.

Vulnerable since the 1990s

The flaw came about in the 1990s. Back then, the US government mandated that software intended for export use “export cipher suites that involved encryption keys no longer than 512 bits.” According to researchers, that kind of encryption might have sufficed in the 90s but 512-bit RSA keys can now be decrypted in about 7 hours and for only US$100 with so much computing power readily available from the cloud.

While this restriction was lifted in the late 90s, some implementations of TLS and SSL protocols still support these export–grade encryption modes.

FREAK, Out in the Open

FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. They found that OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients are vulnerable to man-in-the-middle (MITM) attacks. Once attackers are able to intercept the HTTPS communication between vulnerable clients and servers, they force the connection to use the old export-grade encryption.

Attackers who “listen” in on the communication will then be able to decrypt the information with relative ease.

Apple’s SecureTransport is used by applications running on iOS and OS X. These include Safari for iPhones, iPads, and Macs. Meanwhile, OpenSSL is used by Android browsers and other application packages. From our understanding, the attack is possible only if the OpenSSL version is vulnerable to CVE-2015-0204.

Popular Sites Affected

According to reports, 37% of browser-trusted sites are affected by this flaw. Affected sites include Bloomberg, Business Insider, ZDNet, HypeBeast, Nielsen, and the FBI. It bears stressing that there are country-specific sites that were also affected.

Addressing the FREAK Flaw

OpenSSL has provided a patch for CVE-2015-0204 in January. Apple is reportedly deploying a patch for both mobile devices and computers.

We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected.

According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption.

We are currently evaluating its exact impact and attack mechanism on servers. For the time being, we advise businesses running websites and other server applications using export grade ciphers to upgrade their systems as well as upgrading to the latest OpenSSL. Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test.

Several workarounds have been suggested by freakattack.com, a site dedicated to disseminating information about this vulnerability:

  • Administrators should disable support for any export suites.
  • Administrators should disable support for all known insecure ciphers and enable forward secrecy.

Trend Micro Deep Security protects users from this vulnerability through the following DPI rule:

  • 1006485 – OpenSSL RSA Downgrade Vulnerability (CVE-2015-0204)

Note that this rule is available for client-based Vulnerability Protection.

Update as of March 5, 2015, 5:20 PM PST

We have added the following DPI rules to protect servers against this threat:

  • 1006561 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response
  • 1006562 – Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request

Update as of March 5, 2015, 9:43 AM PST

Microsoft has confirmed all version of Windows are vulnerable. Red Hat confirmed that versions 6 and 7 of Red Hat Enterprise Linux (RHEL) are vulnerable as well. Browsers that are vulnerable to the FREAK vulnerability include Internet Explorer, Opera (Mac OS X / Linux), and Safari.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidAppleCVE-2015-0204FREAKOpenSSL

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.