Increasingly, people around the world depend on technology for their daily activities. Making this technology trustworthy involves a deep understanding of how attacks work. By researching security vulnerabilities, the Advanced Threat Research (ATR) team in Intel Security discovers opportunities to drive toward more secure technology.
Last updated: 2014-10-06
The ATR team at Intel Security and Antoine Delignat-Lavaud (INRIA Paris, PROSECCO) have discovered a critical class of vulnerability in ASN.1 parsing used in a certain crypto libraries, including Mozilla NSS. This vulnerability (dubbed BERserk) allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites using SSL/TLS. Authentication mechanisms within firmware on specific devices may be compromised as well, allowing attackers to compromise the integrity of software on the device.
This is a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability (CVE-2006-4339, http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html). Due to an incorrect check on signature padding, this new attack variant allows for RSA signatures to be successfully forged without knowledge of the corresponding RSA private key. Attackers are able to “man-in-the-middle” connections that are assumed to be secure (via SSL) allowing them to monitor and intercept data transmitted over that session.
The attack exploits a vulnerability in the parsing of an ASN.1 encoded sequence during signature verification. ASN.1 encoded sequences are made up of objects that are encoded using BER and/or DER. This attack exploits the fact that bytes are skipped during parsing of certain fields. This condition enables the attack.
Part one of our technical analysis of the "BERserk" vulnerability is now available. This first part is not vendor or library specific. Rather, we are providing generic guidance in an effort to allow developers to avoid these issues in future implementations. We will continue the next part of our analysis with specifics on the Mozilla NSS library.Download the paper
Update: October 6, 2014 - Part two of our analysis is now available. This update explores the specifics of the attack against Mozilla NSS.Download part two of the paper
An attacker can forge/spoof the authentication between an end-user and their bank website. In such a “man-in-the-middle” scenario, all personal data communicated in the browser session can be intercepted and/or compromised. Both integrity and confidentiality of the data exchanged in that session are at risk. A picture below illustrates this attack against SSL/TLS digital certificates.
The following screenshot demonstrates that SSL/TLS digital certificates (RSA-2048 with SHA-1) are successfully forged using this vulnerability and validated by latest version of Mozilla Firefox web browser.
This issue is named “BERserk” because the vulnerability is enabled by the incorrect parsing of certain BER (Basic Encoding Rules) encoded sequences in the implementation of RSA signature verification.
While Intel Security is unaware of any attacks exploiting BERserk, we strongly advise individuals and organizations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla.