SSL FREAK Vulnerablity
As security experts, AppSec Labs can help you protect against SSL based attacks as well as keeping our website, www.appsec-labs.com safe from these attacks.
SSL/TLS is a transport encryption protocol which is used by most applications and infrastructure to provide confidentiality and integrity for safe communication between a client and a server.
As for the confidentiality part, it uses encryption to avoid protocol analysis and eavesdropping. Common implementations of SSL/TLS, such as OpenSSL allow the configuration of the cipher suites that could be used for the communication.
On Tuesday, March 3rd 2015, a new vulnerability was disclosed by researchers, called “FREAK”. This vulnerability is on the protocol and is of RSA weak key downgrade type (forcing the connection between a client and a server to use “export-grade” cryptography by intercepting HTTPS communication), which can then be decrypted for altering the content or disclose information.
A compromised connection poses a security threat as it violates confidentiality.
If a server that supports SSL accepts RSA_EXPORT cipher suits (for example: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA), it is vulnerable to FREAK Attack.
According to the National Cyber Awareness System, the CVSS severity is as follows:
CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
If a client offers RSA_EXPORT suit, or is using an SSL client that is vulnerable to CVE-2015-0204 (such as unpatched OpenSSL client) then it is vulnerable to the FREAK attack.
Please note that the client can also be an Android or an iOS client.
To check whether the client that is you are using is safe or vulnerable to FREAK attack, visit: https://freakattack.com/clienttest.html
To fix a server that has been found to be vulnerable to SSL FREAK attack, it is recommended to disable all known vulnerable cipher suits, including RSA Export cipher suits and enable Forward Secrecy.
You can also refer to the SSL Configuration Generator that was published by Mozilla.
To check if your server is vulnerable to FREAK Attack, you can download a tool: AppSec Labs FREAK SSL Checker (You will also need a version of OpenSSL pre-compiled binaries at the same directory of the script).
The AppSec Labs FREAK Checker tool uses a vulnerable OpenSSL client and tries to establish a connection using RSA_Export cipher suit. It then reports back whether the server is safe from the attack, or vulnerable to it.
I hope that it has been informative for you 🙂
Gilad Ofir, Application Security Consultant, AppSec Labs
My Linkedin page : il.linkedin.com/pub/gilad-ofir/19/599/449/en
Not sure how accurate that tool is… saying google is also vul’
Thank you for your comment!
The script requires the binaries of OpenSSL to reside in the same folder in order to run, or else it will be unable to test for the vulnerability.
I will provide a version that includes the binaries and a running executable soon!
For now, you can just add them manually (http://slproweb.com/products/Win32OpenSSL.html)
I checked it myself (whether google is vulnerable or not) and the results came in negative