SLOTH: Security Losses from Obsolete and Truncated Transcript Hashes (SLOTH) attack on TLS 1.2 (CVE-2015-7575)
A new attack class called "transcript collision" has been identified on hash functions in cryptographic protocols such as TLS, which can force a hash-construction downgrade to MD5 and reduce expected security. These attacks rely on the use of obsolete hash constructions such as MD5 in these protocols.
In TLS prior to 1.2, the signature was fixed to SHA1+MD5 (in 1.0), or to SHA1 (in 1.1). TLS 1.2 allows any combination of algorithms to be present for the signature so that a man-in-the-middle attacker can insert an easily forged RSA-MD5 signature to sign his data of choice. SLOTH stands for: Security Losses from Obsolete and Truncated Transcript Hashes.
This issue has been rated as having Moderate impact by the Red Hat Product Security Team.
Hash functions are widely used to build authentication and integrity mechanisms in cryptographic protocols. They are used within public-key certificates, digital signatures, message authentication codes (MAC), and key-derivation functions (KDF). In 2005, the first collision attack was found against MD5, a popularly used cryptographic hash function. Since then these attacks have become faster and better.
In 2009, a rogue CA was created by using the above-mentioned collision attacks on MD5. Due to these high profile attacks, most cryptographic software was patched to stop accepting MD5 certificates. However, other uses of MD5 hash functions continue, especially in certain parts of the TLS protocol which include items like ServerKeyExchange.
Attack Vectors on TLS 1.2
In TLS, the client authenticates itself by presenting an X.509 certificate and then signing a hash of the entire handshake transcript with the private key corresponding to the certificate. In TLS versions up to 1.1, the hash algorithm used before signing was a concatenation of MD5 and SHA1. However, TLS 1.2 was updated to allow clients and servers to negotiate the signature and hash algorithms they support. This update enabled the use of newer, stronger hash algorithms such as SHA-256 and SHA-512, but unfortunately it also enabled the use of weaker hash algorithms such as MD5.
This security flaw could be used to mount a man-in-the-middle attack for SSL/TLS configurations in which client certificates are used for authentication.
TLS 1.2 enables RSA-MD5 signatures for both client and server signatures. This flaw could be used to launch a man-in-the middle attack on a TLS 1.2 server-client connection. However, this kind of attack is typically more difficult to perform than client-authentication attacks.
Both of the above mentioned attacks require a man-in-the-middle attacker. They are non-trivial, compute intensive and difficult to conduct.
Affected TLS versions
Only cryptographic software using TLS 1.2 is affected.
This flaw has been rated as having Moderate impact by Red Hat Product Security, and affects the following products and packages in Red Hat Enterprise Linux.
|Red Hat Enterprise Linux 6 and 7||NSS||RHSA-2016:0007|
|Red Hat Enterprise Linux 6 and 7||GNUtls||RHSA-2016:0012|
|Red Hat Enterprise Linux 6 and 7||OpenSSL||RHSA-2016:0008|
This issue also affects the version of NSS shipped with Red Hat Enterprise Linux 5. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 5.