FREAK Attack

Vulnerability Description

The FREAK Attack relies on a few key pieces falling into place.

On the server side, this means that export ciphers are supported. When export ciphers are used, a 512-bit RSA key is used. This key can be factored in less than a day using popular cloud hosting services. Once this is accomplished, the attacker could then man-in-the-middle a victim using the factored key.

On the client side, an attacker must be able to force the client to accept a weak key, even if a strong cipher has been requested. This can be accomplished in clients that use OpenSSL, SChannel, and other libraries. The vulnerability that allows this has been identified with the following CVEs:

  • OpenSSL – CVE-2015-0204
  • SChannel – CVE-2015-1637
Exposure and Impact

An attacker that successfully executed this attack could man-in-the-middle a victim’s connection. Users are most susceptible when using open, public wireless networks like those found in hotels and coffee shops.

Remediation & Mitigation

This attack requires that both the server and client be vulnerable. Servers that don’t use export ciphers and clients that have been patched against the appropriate CVE are not vulnerable and would mitigate this attack.

Detection

Tripwire IP360 provides the following detection for server-side export ciphers:

V6174

SSL Server Supports Weak Encryption for SSLv3

V79208

SSL Server Supports Weak Encryption for SSLv2

V79210

SSL Server Supports Weak Encryption for TLSv1

V81883

SSL Server Supports Weak Encryption for TLSv1.1

V81884

SSL Server Supports Weak Encryption for TLSv1.2

 
Additionally, IP360 provides the following detection for CVE-2015-0204: V204109, V204490, V204572, V204835, V204989, V205161, V205168, V205439, V205440, V206229, V206758, V207391. This includes detection for the OpenSSL vulnerability on Debian, Ubuntu, RHEL, CentOS, OEL, SUSE, and Fedora.

Tripwire Enterprise COCR Rules for CVE-2015-0204 (FREAK Attack) Detection

References

SMACK: State Machine AttaCKs (original research)

Tracking the FREAK Attack

Akamai Addresses CVE 2015-0204 Vulnerability

Microsoft Security Advisory 3046015

OpenSSL Security Advisory (08 Jan 2015)