430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CVE-2016-2107 OpenSSL Flaw still affects many Alexa Top Sites

According to the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable to the OpenSSL flaw CVE-2016-2107. The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI. According […]

Trusted Platform Module 2.0 flaws

According to the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable to the OpenSSL flaw CVE-2016-2107.

The CVE-2016-2107 flaw affecting the open-source cryptographic library could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.

According to the experts, the flaw affects the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.

“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same  bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”

The flaw was patched in early May with the release of the versions 1.0.2h and 1.0.1t, but according to an analysis conducted by the security firm High-Tech Bridge many of the Alexa Top 10,000 websites are still vulnerable.

“The bad news is that support of the AES CBC cipher is widely recommended for compatibility reasons, required by TLS 1.2 RFC and recommended by NIST guidelines. AES CBC cipher is also considered the strongest cipher for TLS 1.0 and TLS 1.1,” states a blog post published by the High-Tech Bridge.

The experts made a quick and non-intrusive research on the Alexa Top 10’000 most visited websites, e-commerces and social platforms searching for presence and exploitability of the OpenSSL CVE-2016-2107 vulnerability.

The researchers used a free SSL/TLS server test specifically designed to automate the research and perform the checks for the existence of CVE-2016-2107.

“We used our free SSL/TLS server test to automate the following checks for each company from the Alexa list:”

Website HTTPS test (port 443)

– Email server SSL, TLS and STARTTLS test (hostname/port):

mail.company.com 25, 110, 143, 465, 587, 993, 995
imap.company.com 143, 993
pop.company.com 110, 995
pop3.company.com 110, 995
smtp.company.com 25, 465, 587

The results are disconcerting, many websites on the web are exposed to MiTM attacks, web or email servers associated with 1,829 (19.29 percent) of the top websites had been both vulnerable and exploitable.

CVE-2016-2107 OpenSSL Flaw

“To our surprise, quite a lot of the most popular resources of the Internet were discovered vulnerable. Here are the results:”

  • Not vulnerable: 6258 (62.58%)
  • Not exploitable: 1913 (19.13%)
  • Vulnerable and exploitable: 1829 (18.29%)

“Taking into consideration that the vulnerability can be exploited in practice and allows stealing user data, credentials, financial and personal information, such results are pretty disappointing,” continues the analysis.

If you want to test your server against the CVE-2016-2107 flaw you can use the SSL/TLS server test.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – OpenSSL, encryption)