Raccoon: kutambura muTLS iyo inobvumidza kuseta kwemakiyi eDH kubatana

Raccoon kurwisa

Ruzivo nezve kunetseka kutsva muTLS protocol, yakanyorwa zita "Raccoon kurwisa"uye iyo inobvumira, mune zvisingawanzo mamiriro ezvinhu, kuona kiyi preliminary primary iyo inogona kushandiswa kutsikisa kubatana kweTLS, kusanganisira HTTPS painobata traffic yekufambisa (MITM).

Kubva pane ruzivo rwakaburitswa, Izvo zvinotaurwa kuti kurwisa kwacho kwakanyanya kunetsa kuita mukuita uye kune kwakawanda dzidziso mune zvakasikwa. Kurwiswa kunoda yakatarwa TLS server kumisikidzwa uye kugona kunyatso kuyera nguva yekugadzirisa yekushanda neseva.

Dambudziko riripo zvakananga mune yakatarwa TLS uye inongokanganisa kubatana kunoshandisa kunyorera zvinoenderana nekiyi yekuchinjana protocol DH.

ECDH zvinyorwa hazviratidze dambudziko uye vanoramba vakachengeteka. Iwo chete maTLS protocols kusvika uye anosanganisira vhezheni 1.2 ari panjodzi uye iyo TLS 1.3 protocol haina kukanganiswa uye kusagadzikana kunozviratidza mukumisikidza kweTLS iyo inoshandisa zvakare chakavanzika cheDH pane akasiyana TLS kubatana.

MuOpenSSL 1.0.2e uye neshanduro dzekutanga, kiyi DH inoshandiswa zvakare pane ese server kubatana, kunze kwekunge sarudzo ye SSL_OP_SINGLE_DH_USE yaiswa zvakajeka.

Ipo kubvira OpenSSL 1.0.2f, iyo kiyi yeDH inoshandiswa zvakare kana uchishandisa static DH ciphers. Mu OpenSSL 1.1.1, kushomeka hakuzviratidze, sezvo iri bazi risingashandisi yekutanga DH kiyi uye risingashandisi static DH cipher.

Paunenge uchishandisa iyo DH kiyi nzira yekuchinjana nzira, mativi ese ehukama anogadzira zvisina kujairika zvakavanzika zvakavanzika (pano, kiyi "a" uye kiyi "b"), pahwaro hweiyo yeruzhinji kiyi (ga  mod pygbMod p).

Mushure mekutambira makiyi eruzhinji, bato rega rinoverenga rakajairika kiyi yekutanga (gab mod p), iyo inoshandiswa kugadzira makiyi echikamu.

Kurwisa Raccoon inoita kuti iwe uone iyo yekutanga kiyi kuburikidza nekugadzirisa yeruzivo kuburikidza nenzira dzepadivi, kutanga kubva pakuti TLS yakatarwa kusvika pane vhezheni 1.2 inoda kuti zvese zvinotungamira zero mabheti eiyi kiyi yekutanga zviraswe pamberi pekuverenga nekutora kwako.

Iko kuiswa kweiyo truncated yekutanga kiyi kunoendeswa kune iyo hash basa-based chikamu kiyi yekugadzira basa nekunonoka kwakasiyana kana uchigadzirisa akasiyana data.

Zvakakodzera nguva makiyi mashandiro anoitwa neseva anotendera anorwisa kuti aone zviyeuchidzo zvinopa nzira yekutonga kuti kiyi yekutanga inotanga pa zero kana kwete. Semuenzaniso, anorwisa anogona kutora kiyi yeruzhinji (ga) yakatumirwa nemutengi, tungamira kumberi kuseva uye uone kana yakakosha kiyi kiyi inotanga ne zero.

Naiye oga, kutsanangura Byte yekiyi hakupi chinhu, asi kubvisa kukosha «ga»Kupfuudzwa nemutengi panguva yekutaurirana kwekubatana, anorwisa anogona kuita seti yemamwe maitiro akafanana ne «ga»Uye uvatumire kuseva muzvikamu zvakasiyana zvekutaurirana.

Nekuumba nekutumira hunhu «gri*ga«, Anorwisa anogona, nekuongorora shanduko mukunonoka kwekupindura server, sarudza hunhu hunotungamira mukugashira kwekutanga makiyi kutanga kubva zero. Nemitengo iyi yakatemwa, anorwisa anogona kunyora seti yekuenzanisa kuti agadzirise dambudziko renhamba rakavanzika uye overenga yekutanga kiyi yekutanga.

Iyo OpenSSL kunetsekana yakatemwa yakaderera kuomarara, uye mhinduro yaive yekufambisa zvinetswa "TLS_DH_ *" zvinyorwa mune vhezheni 1.0.2w kuenda kuchikwata "chisina simba" chakaremara nekutadza. Vagadziri veMozilla vakaita zvakafanana nekuremadza iyo DH uye DHE cipher suites muraibhurari yeNSS inoshandiswa muFirefox.

Kuparadzanisa, pane zvimwe zvinowedzera muTLS stack yeF5 BIG-IP zvishandiso zvinoita kuti kurwisa kuve kwechokwadi.

Kunyanya, kutsauka kwakawanikwa mune hunhu hwemidziyo ine zero byte pakutanga kwekiyi yekutanga, iyo inogona kushandiswa panzvimbo yekuyera latency chaiyo mukuverenga.

mabviro: https://raccoon-attack.com/


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako