Amiga SSL Vulnerabilities ========================= The latest version of this advisory is available at: https://sintonen.fi/advisories/amiga-ssl-vulnerabilities.txt 1. Background ------------- Application Transport Layer Security has been under scrutiny in recent years. At the same time there still are handful of Amiga users who use applications with rather old TLS implementations. I decided to check the security of the common TLS implementation on amiga, AmiSSL 3.6 available at http://www.heightanxiety.com/AmiSSL/ I tested security of two common classic Amiga web browsers: IBrowse and AWeb, and the email clients SimpleMail and YAM. 2. Summary ---------- - IBrowse 2.4 is vulnerable to Man in the Middle attacks (sslsniff). - SimpleMail 0.40 is vulnerable to Man in the Middle attacks (sslsniff). - AWeb and IBrowse 2.4 support insecure SSL 2.0 and weak ciphers, enabling trivial attacks against the encrypted traffic. - SimpleMail allows weak ciphers, enabling trivial attacks against the encrypted traffic. - AmiSSL is based on old version of OpenSSL, and several security vulnerabilities have been found since: https://www.openssl.org/news/vulnerabilities.html - YAM 2.9 has secure SSL implementation (barring the deficiencies in AmiSSL itself). 3. Details ---------- 3.1 IBrowse 24.43 (22.12.2006) [AmiSSL v3] ------------------------------------------ - Supports SSL 2.0 and SSL 3.0 protocols. Does not support TLS 1.0, TLS 1.1 or TLS 1.2 protocols. - By default IBrowse enables insecure and deprecated SSL 2.0 protocol with several critical vulnerabilities: https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0 It is possible (and recommended) to disable SSL2.0 support in Preferences/ Security. - IBrowse allows insecure 40-bit and export ciphers. It is possible (and recommended) to disable DES, 3DES (Encryption), MD5 (MAC) and Export (Cipher grade) from the Ciphers in Preferences/ Security. - IBrowse is vulnerable to Man-in-the-Middle attacks. An attacker with privileged network position is able to read and/or modify the traffic as they see fit. The result is loss of confidentiality and integrity of the connection. Sslsniff tool can be used to mount these attacks. 3.2 SimpleMail 0.40 (24.12.2013) [AmiSSL v3] -------------------------------------------- - Supports SSL 3.0 and TLS 1.0 protocols. Does not support SSL 2.0, TLS 1.1 or TLS 1.2 protocols. - SimpleMail allows insecure EDH (56-bit) and export ciphers. - SimpleMail is vulnerable to Man-in-the-Middle attacks. An attacker with privileged network position is able to read and/or modify the traffic as they see fit. The result is loss of confidentiality and integrity of the connection. Sslsniff tool can be used to mount these attacks. - Example MitM session: # iptables -t nat -A PREROUTING -p tcp --destination-port 995 -j REDIRECT --to-ports 4995 # sslsniff -a -c /usr/share/sslsniff/certs/wildcard -s 4995 -w /dev/stdout 1385227016 INFO sslsniff : Added OCSP URL: ocsp.ipsca.com 1385227016 INFO sslsniff : Certificate Ready: * sslsniff 0.8 by Moxie Marlinspike running... 1385227031 DEBUG sslsniff : Read from Server (mail.inet.fi) : +OK POP3 PROXY server ready <78C95167860707AE4A250766C02C8530E2018187@hanna2.rokki.sonera.fi> 1385227032 DEBUG sslsniff : Read from Client (mail.inet.fi) : USER harry 1385227032 DEBUG sslsniff : Read from Server (mail.inet.fi) : +OK Password required 1385227032 DEBUG sslsniff : Read from Client (mail.inet.fi) : PASS secretpassword 3.3 AWeb 3.5.09 (May 13 2007) [AmiSSL v3] ----------------------------------------- - Supports SSL 2.0, SSL 3.0 and TLS 1.0 protocols. Does not support TLS 1.1 or TLS 1.2 protocols. - Supports insecure and deprecated SSL 2.0 protocol with several critical vulnerabilities: https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0 There is no user interface option to disable SSL 2.0. - AWeb allows insecure 40-bit and export ciphers. 4. Remediation -------------- 4.1 Man in the Middle vulnerabilities ------------------------------------- To mitigate the Man in the Middle vulnerabilities new versions of IBrowse and SimpleMail are required. Common cause for the Man in the Middle vulnerability is forgetting to enable SSL peer verification with: SSL_CTX_set_verify(sslcontext, SSL_VERIFY_PEER, 0) Additionally the code needs to provide up to date CA certificates for the validation to work. 4.2 Insecure SSL 2.0 -------------------- New applications should disable SSL 2.0 by using SSL_CTX_set_options: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) Meanwhile as a workaround for the insecure SSL 2.0 protocol it is possible to limit AmiSSL to SSL 3.0 only by issuing the following command: setenv save AmiSSL/SSL_CLIENT_VERSION ssl3 This workaround will however disable TLS connections to servers that do not support SSL 3.0 protocol. 4.3 Weak ciphers ---------------- The most likely cause for the weak ciphers is forgetting to specify ciphers the application desires to use with a SSL_CTX_set_cipher_list() call. Currently the recommended cipher list is: "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK@STRENGTH" 4.4 New version of AmiSSL ------------------------- New version of AmiSSL which disables SSL 2.0 and the weak ciphers could be released. This way old applications would automatically benefit from having SSL 2.0 and weak ciphers disabled.