Faulty TLS implementation opens VISA sites, users to attack

A group of researchers has discovered 184 HTTPS servers that are wide open to attackers looking to inject seemingly valid content into encrypted sessions. Some of these servers belong to the credit card company VISA, the Polish banking association ZBP, and the German stock exchange.

They are vulnerable to these attacks because they used a duplicate cryptographic nonce with the AES-GCM cipher during the TLS handshake between the browser and the HTTPS-protected sites. This means attackers that are able to monitor the connection could reconstruct the authentication key and misuse it to, let’s say, inject malicious code in the site or bogus forms to harvest user data.

The user, i.e. the browser, would have no way of noticing the attack.

This type of attack is not new, and has been dubbed the “forbidden attack” because unique nonces are a must for effective and secure encryption.

“The behaviour of these devices was mixed. 66 devices were using the value 0100000003001741 twice and then continued with a randomly chosen value and a counter starting from that value. Four further devices showed a similar behavior, but with other starting values (010000000100c289, 0100055f03010240 and 010000000080c0eb twice). 84 devices used a random value for the first encryption and subsequently zero values. 23 devices simply always used zero,” the researchers shared, but all of them can be practically attacked.

The researchers have also found over 70,000 HTTPS servers using random nonces, which theoretically puts them in danger of nonce reuse attacks. Such an attack would be much more difficult to pull off – but not impossible.

“If only a few TLS records are encrypted with the same key, then a random nonce does not pose a risk. However, if a large number of records is encrypted with the same key, the risk may become relevant,” they explained.

“The size of a TLS record is determined by many factors, therefore it is not trivial to calculate the exact amount of data necessary to generate a nonce duplication with an implementation with random nonces. It is however most likely in the area of Terabytes,” they noted.

“There are probably few scenarios in which this is a problem. VPN networks may use the same connection for such a large number of TLS records. Also in an attack scenario where an attacker can control Javascript and the victim has a very fast Internet connection such an attack might be possible. However this requires an HTTPS server that allows an unlimited number of requests over a single connection. Common HTTP server implementations usually limit the number of Keep Alive requests that can be sent over one connection, but this limit can be disabled.”

The researchers managed to identify some of the devices using random nonces: Lotus Domino web servers, A10 load balancers, Sangfor devices. So far, only IBM published an update fixing the flaw in Lotus Domino.

According to Ars Technica, VISA, the Polish banking association ZBP, and the German stock exchange have also been notified of the problem, but only the latter has dealt with it so far.

The researchers demonstrated a script injection attack on the HTTPS version of www.visa.dk as proof of their findings, and PoC attack code on GitHub.