PolarSSL is now part of ARM Official announcement and rebranded as mbed TLS.

PolarSSL Security Advisory 2013-02

Title RC4 ciphersuites in SSL and TLS vulnerable
CVE Unknown
Date 13th of March 2013
Affects all SSL libraries including PolarSSL
Not affected AES-GCM-based or CBC-based ciphersuites. Servers and clients that only communicate over a private network
Impact Possible (partial) recovery of plaintext
Exploit Withheld
Solution Disable RC4-based ciphersuites
Credits Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt

On the Security of RC4 in TLS describes an attack that applies to implementations of RC4-mode ciphersuites in all version of SSL and TLS.

The attack is based on the fact that statistical flaws in the keystream generated by the RC4 algorithm become apparent in TLS ciphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions.

Impact

When a RC4-based ciphersuite is used and an adversary has the ability to inject packets at will into the connection between the client and the server, the adversary can potentially use statistical analysis to retrieve plaintext from ciphertext messages.

Resolution

As the flaw is inherent to the use of RC4 ciphersuites, the only resolution is to disable the use of RC4-based ciphersuites within PolarSSL.

At compile-time this can be achieved by removing the define for POLARSSL_ARC4_C from include/polarssl/config.h.

An alternative is to remove the ciphersuites from the list of ciphersuites provided to ssl_set_ciphersuites().

Advice

We strongly advise you to consider if your application needs RC4-dependent ciphersuites and disable them if you have the option. No real action is needed if an adversary cannot gain access to (part of) the network and thus cannot inject packets between your servers and clients.

Like this?

Section:
Security Advisories

Author:


Published:


Last updated:
Jul 12, 2013

Sharing:


Want to stay up to date?