CVE-2017-1000385 - Observable Discrepancy

Severity

43%

Complexity

86%

Confidentiality

48%

The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).

CVSS 3.0 Base Score 5.9. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N).

Demo Examples

Observable Discrepancy

CWE-203

The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.


               
}
}
print "Login Successful";
print "Login Failed - incorrect password";
print "Login Failed - unknown username";

In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials.

While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as:


               
"Login Failed - incorrect username or password"

Observable Discrepancy

CWE-203

Non-uniform processing time causes timing channel.

Suppose a hardware IP for implementing an encryption routine works fine per se, but the time taken to output the result of the encryption routine depends on a certain relationship between the input plaintext and the key (e.g., suppose, if the plaintext is similar to the key, it would run very fast).

In the example above, an attacker can vary the inputs and, depending on the seen differences between processing times (different plaintexts take different time), can infer certain information about the key.

If the actual processing time was different for different plaintexts, artificial delays can be introduced to ensured all plaintexts take equal time to execute, even though the timing was internally different.

Overview

First reported 7 years ago

2017-12-12 21:29:00

Last updated 5 years ago

2019-10-03 00:03:00

Affected Software

Erlang/OTP 18.3.4.7

18.3.4.7

Erlang/OTP 19.3.6.4

19.3.6.4

Erlang/OTP 20.1.7

20.1.7

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

References

[erlang-questions] 20171123 Patch Package: OTP 20.1.7

Issue Tracking, Mailing List, Vendor Advisory

[erlang-questions] 20171123 Patch Package: OTP 19.3.6.4

Issue Tracking, Mailing List, Vendor Advisory

[erlang-questions] 20171123 Patch Package: OTP 18.3.4.7

Issue Tracking, Mailing List, Vendor Advisory

102197

Third Party Advisory, VDB Entry

RHSA-2018:0242

RHSA-2018:0303

RHSA-2018:0368

RHSA-2018:0528

[debian-lts-announce] 20171215 [SECURITY] [DLA 1207-1] erlang security update

https://robotattack.org/

Issue Tracking, Third Party Advisory

USN-3571-1

DSA-4057

Issue Tracking, Third Party Advisory

VU#144389

Issue Tracking, Third Party Advisory, US Government Resource

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.