GitHub – tls-attacker/TLS-Padding-Oracles: New TLS Padding Oracles

TLS Padding Oracles

The TLS protocol provides encoding, data integrity, and authentication on the modern Internet. Despite the protocol ’ s importance, currently-deployed TLS versions use disused cryptanalytic algorithm which have been broken using assorted attacks. One big class of such attacks is CBC padding prophet attacks. These attacks allow an adversary to decrypt TLS traffic by observing different waiter behaviors which depend on the validity of CBC slog .
We evaluated the Alexa Top Million Websites for CBC padding oracle vulnerabilities in TLS implementations and reveal vulnerabilities in 1.83 % of them, detecting closely 100 different vulnerabilities. These padding oracles stem from insidious differences in server behavior, such as responding with different TLS alerts, or with different TCP header flags. We suspect the nuance of different server responses is the cause these padding oracles were not detected previously .

Full Technical Paper

Robert Merget, Juraj Somorovsky, Nimrod Aviram, Craig Young, Janis Fliegenschmidt, Jörg Schwenk, Yuval Shavitt : scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. USENIX Security 2019


  • Blackhat Asia 2019. Zombie POODLE, GOLDENDOODLE, and How TLSv1.3 Can Save Us All. website, slides
  • Summer School on real-world crypto and privacy 2019. Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. website, slides

Who Is Affected?

Since the designation of different vendors is fairly difficult and requires the cooperation of the read websites, a set of our vulnerabilities are not attributed yet. On this Github page, we collect the current condition of the creditworthy disclosure action and give an overview of the reveal vulnerabilities .
The presently identified and fixed vulnerabilities are :
The disclosure process is placid running with a handful of vendors. Some of them consider to disable or flush completely remove CBC cipher suites from their products .

Recommendations for TLS Implementations Developers

If you are developing a TLS execution, this is obviously a good reminder to review your CBC code and make sure it does not expose a slog prophet ; obviously, this is easier said than done. We therefore invite developers of TLS implementations to contact us in this matter. We will evaluate your execution and if you are vulnerable, exploit with you to understand the nature of the vulnerability ( contact ) .
You can immediately besides use our TLS-Scanner directly to evaluate your execution. TLS-Scanner besides includes a vulnerability fingerprint, which allows you to detect the underlying vulnerable implementation, see an model below .
TLS vulnerability fingerprint
If you find a vulnerable implementation, which is not known to our cock, please contact us .


Cipher Block Chaining (CBC) mode of operation

The CBC manner of operation allows one to encrypt plaintexts of arbitrary length with stop ciphers like AES or 3DES. In CBC manner, each plaintext freeze is XOR ’ erectile dysfunction to the previous ciphertext freeze before being encrypted by the block cipher. We plainly refer to Wikipedia for more information .
Padding prophet attacks exploit the CBC malleability. The trouble of CBC is that it allows an attacker to perform meaningful plaintext modifications without knowing the symmetrical keystone. More concretely, it allows an attacker to flip a particular plaintext bite by flipping a moment in the previous ciphtertext obstruct. This CBC property has already been exploited in many attacks, for example, most recently in the Efail attack .

CBC and its usage in the TLS record layer

In order to protect messages ( records ) exchanged between TLS peers, it is possible to use different cryptanalytic primitives. One of them is a MAC combined with AES in CBC mode of operation. unfortunately, TLS decided to use the MAC-then-PAD-then-Encrypt mechanism, which means that the encryptor first computes a MAC over the plaintext, then pads the message to achieve a multiple of block length, and finally uses AES-CBC to encrypt the ciphertext .
For example, if we want to encrypt five bytes of data and use HMAC-SHA ( with 20 bytes long output ), we end up with two blocks. The second parry needs to be padded with 7 bytes 0x06. Validly formatted MAC and padding

Padding oracle attacks

In 2002, Vaudenay showed that revealing padding failures after message decoding could have austere consequences for the security of the application. Since the CBC malleability allows an attacker to flip arbitrary message bytes, the attacker is besides able to modify specific padding bytes. If the application decrypts the limited message and reports problems related to padding cogency, the attacker is able to learn the underlying plaintext. We refer to this explanation by Erlend Oftedal for more details .
In TLS, the attack is a bite more complex because the target TLS connection is always closed once disable padding is triggered. however, the vulnerability is practically exploitable in BEAST scenarios and allows the attacker to decrypt recur secrets like seance cookies .
therefore, it is identical significant that the TLS implementations do not reveal any data about padding validity. This includes different TLS alerts, joining states, or tied timing behavior .

Vulnerability Details

OpenSSL (CVE-2019-1559)

With the help of the Amazon security team, we identified a vulnerability which was largely found on Amazon servers and Amazon Web Services ( AWS ). Hosts affected by this vulnerability immediately respond to most records with BAD_RECORD_MAC and CLOSE_NOTIFY alerts, and then close the connection. however, if the hosts encounter a zero-length record with valid embroider and a MAC award, they do not immediately close the TCP connection, regardless of the cogency of the MAC. rather, they keep the connection alert for more than 4 seconds after sending the CLOSE_NOTIFY alert. This dispute in demeanor is well discernible over the net. note that the MAC measure does not need to be correct for triggering this timeout, it is sufficient to create valid embroider which causes the decode data to be of zero length.

further investigations revealed that the Amazon servers were running an execution which uses the OpenSSL 1.0.2 API. In some cases, the function calls to the API return different error codes depending on whether a MAC or padding error occurred. The Amazon lotion then takes different code paths based on these mistake codes, and the unlike paths result in an discernible difference in the TCP layer. The vulnerable behavior only occurs when AES-NI is not used .

Citrix (CVE-2019-6485)

The vulnerable Citrix implementations first check the last slog byte and then verify the MAC. If the MAC is disable, the server closes the connection. This is done with either a connection timeout or an RST, depending on the validity of the remaining embroider bytes. however, if the MAC is valid, the server checks whether all other remaining slog bytes are decline. If they are not, the waiter responds with a BAD_RECORD_MAC and an RST ( if they are valid, the record is grammatical and is accepted ). This demeanor can be exploited with an attack like to POODLE .


Can these vulnerabilities be exploited?

Yes, but exploitation is reasonably unmanageable. If you use one of the above implementations, you should silent make sure you have patched .
To be more specific, the attack can be exploited in BEAST scenarios. There are two prerequisites for the attack. First, the attacker must be able to run a script in the victim ‘s browser which sends requests to a vulnerable web site. This can be achieved tempting the victim to visit a malicious web site. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle .

Have these vulnerabilities actually been exploited?

We have no cause to believe these vulnerabilities have been exploited in the wild so far .

I used a vulnerable implementation. Do I need to revoke my certificate?

No, this attack does not recover the server ‘s private key .

Do I need to update my browser?

No. These are server-side vulnerabilities, and can merely be fixed by deploying a fix on the waiter .

How many implementations are vulnerable?

Our Alexa scans identified more than 90 different server behaviors triggered in our pad oracle scans. Some of them will credibly be caused by outdated servers. however, we assume many of the newest servers will need fixes .

How is this related to previous research?

In 2002, Vaudenay presented an approach which targets messages encrypted with the CBC manner of operation. The attack exploits the malleability of the CBC mood, which allows altering the ciphertext such that specific cleartext bits are flipped, without cognition of the encoding key. The attack requires a waiter that decrypts a message and responds with 1 or 0 based on the message cogency. This behavior basically provides the attacker with a cryptanalytic oracle which can be used to mount an adaptive chosen-ciphertext attack. The attacker exploits this behavior to decrypt messages by executing adaptive queries. Vaudenay exploited a specific form of vulnerable behavior, where implementations validate the CBC pad structure and answer with 1 or 0 consequently .
This course of attacks has been termed padding oracle attacks. Different types of CBC padding oracles have been used to break the confidentiality of TLS connections. These include Lucky Thirteen, Lucky Microseconds, Lucky 13 Strikes Back, and Ronen et aluminum .
Another important assail is POODLE ( Padding Oracle On Downgraded Legacy Encryption ) which targets SSLv3 and its particular pad scheme. In SSLv3 only the last pad byte is checked. Möller, Duong and Kotowicz exploited this behavior and showed that for implementation it is necessary to correctly verify all slog bytes. similar behaviors were found in several TLS implementations .

How is it possible that such an old vulnerability is still present in 2019?

Writing this code correctly is identical hard, even for experts. For exemplar, in one exemplify experts have introduced a dangerous imprint of this vulnerability while attempting to patch the code to eliminate it .
Identifying these vulnerabilities is besides hard since some of them only manifest under a combination of specific conditions. For case, the OpenSSL vulnerability only manifests in OpenSSL adaptation 1.0.2, only for non-stitched [ 1 ] calculate suites, when AES-NI is not used. It besides requires elusive interactions between external code that calls the OpenSSL API, and the OpenSSL code itself .
We take this opportunity to suggest deprecating CBC cipher suites in TLS all in all .
[ 1 ] : Stitched ciphersuites is an OpenSSL terminus for optimize implementations of certain normally used ciphersuites. See here for more details.

Why are you not submitting your findings via BugBounty websites?

We tried to get in contact with security teams via coarse BugBounty sites but had very bad experiences. Man-in-the-Middle attacks are normally out of scope for most web site owners, and security teams did not know how to deal with this kind of write out. We lost a draw of “ Points ” on Hackerone and BugCrowd for reporting such issues ( with the purpose to learn the seller ) and learned absolutely nothing by doing this. All in all a very torment experience. We hope that our new approach of disclosure is more useful to get in contact with developers and vendors .

Can this attack be used against Bitcoin?

No. This fire is based on the vulnerability show in the Cipher Block Chaining ( CBC ) modality of mathematical process. Bitcoin does not use CBC. however, if you are a blockchain interior designer, we powerfully recommend you to evaluate the security of your block chaining engineering and, specially, its padding schema .

Do you have a name or a logo for this vulnerability?

No. Sorry, not this fourth dimension .

Leave a Reply

Your email address will not be published.