More RSA Key leakage. Go 1.5.


  • Discourse touched me in a no-no place

    This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way.

    Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used.

    Fixed in 1.5.3.



  • So in order to be affected by this, you need:

    • A program that was compiled on Go 1.5+, but not 1.5.3+
    • A 32-bit webserver
    • Go running the HTTPS portion of the site, as opposed to something like nginx, Apache, or Varnish
    • 226 tries to get the key


  • And the worst part is that the "known data" part is automatic for signatures. A (digital) signature serves no purpose without the data that was signed.



  • @Steve_The_Cynic said:

    A (digital) signature serves no purpose without the data that was signed.

    Yes, but if you have the private key you can impersonate the server. That is potentially more dangerous than being able to read encrypted data.



  • @Kian said:

    @Steve_The_Cynic said:
    A (digital) signature serves no purpose without the data that was signed.

    Yes, but if you have the private key you can impersonate the server. That is potentially more dangerous than being able to read encrypted data.


    My point was that the "known plaintext" attack is easier against signature keys than it is against encryption keys, because by definition the plaintext of a signature is known, otherwise the signature serves no purpose. (And therefore saying that the plaintext is/must be known is an exercise in redundancy, and might also be repeating itself and saying the same thing twice.)

    All of which makes the attack a little more dangerous than it already was, needless to say.



  • Fucking Chinese!



  • @ben_lubar said:

    So in order to be affected by this, you need:

    • 226 tries to get the key

    To me 226 in computing terms is basically the equivalent of

    Wiggle the key back and forth a bit and it is likely to pop open in no time at all.



  • 226 TCP connections does not take a trivial amount of time.



  • Let's say it takes 120ms for a TCP connection. 226 connections would be 93 days. If you could start 100 connections in parallel, you're done in less than a day.

    Anything with complexity of only 226 is just trivial to break.



  • You think nobody would suspect anything if you started over 60 million connections to their server?



  • Stop wasting your time defending this. You're smarter than that. No need to get butthurt when someone finds a bug in your favorite pet language.



  • I'm not defending it. It's a bug. It was fixed. I was just mentioning the absurd set of circumstances required to be affected by the bug.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    You think nobody would suspect anything if you started over 60 million connections to their server?

    How many people actually run IDS on their servers, given how many attempts from rooted servers TDWTF gets every day?

    Of the ones that were being overly stupid about it:

    root@what:/var/ossec/logs# cat active-responses.log  | grep "drop.sh add" | tail -n50
    Thu Jan 14 07:28:05 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 182.74.68.35 1452774485.184089 5706
    Thu Jan 14 12:25:58 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 202.174.123.44 1452792358.261223 5706
    Thu Jan 14 15:09:41 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 119.10.8.133 1452802181.321505 5551
    Thu Jan 14 16:13:28 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 194.8.147.142 1452806008.341789 5706
    Thu Jan 14 17:43:19 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 1.54.162.25 1452811399.367870 5712
    Thu Jan 14 19:34:41 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 119.164.254.57 1452818081.7588 5706
    Thu Jan 14 20:33:26 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 194.8.147.142 1452821606.27651 5712
    Thu Jan 14 22:33:57 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 46.148.16.98 1452828837.66079 5551
    Fri Jan 15 00:51:09 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 125.88.177.95 1452837069.116278 5551
    Fri Jan 15 01:17:53 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 5.39.222.253 1452838673.122193 5706
    Fri Jan 15 02:15:47 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 178.68.35.24 1452842147.137561 5706
    Fri Jan 15 03:06:39 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 178.33.14.49 1452845199.152002 5706
    Fri Jan 15 08:34:54 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 111.13.143.9 1452864894.243498 5706
    Fri Jan 15 10:08:31 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 125.88.177.95 1452870511.293489 5551
    Fri Jan 15 13:00:26 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 204.151.244.169 1452880826.417133 5706
    Fri Jan 15 15:45:17 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 88.28.205.20 1452890717.535478 5706
    Fri Jan 15 17:12:07 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 177.55.128.2 1452895927.599077 5706
    Fri Jan 15 17:59:07 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 185.106.92.118 1452898747.630601 5706
    Fri Jan 15 21:16:11 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 180.252.0.245 1452910571.91401 5551
    Fri Jan 15 23:02:09 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 58.221.59.203 1452916929.166600 5551
    Sat Jan 16 09:30:36 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 204.151.244.169 1452954636.405686 5706
    Sat Jan 16 10:44:30 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 114.25.217.75 1452959070.433692 5706
    Sat Jan 16 11:11:02 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 40.122.124.70 1452960662.448151 5551
    Sat Jan 16 14:05:35 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 119.147.137.10 1452971135.521812 5551
    Sat Jan 16 15:28:15 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 119.147.137.10 1452976095.556533 5551
    Sat Jan 16 15:55:12 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 193.233.14.21 1452977712.568074 5706
    Sat Jan 16 18:15:30 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 166.62.121.53 1452986130.611881 5706
    Sat Jan 16 19:57:50 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 27.17.8.74 1452992270.29319 5706
    Sat Jan 16 20:37:57 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 185.106.92.118 1452994677.48830 5706
    Sat Jan 16 21:53:35 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 184.173.179.170 1452999214.70566 5706
    Sun Jan 17 01:20:02 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 193.233.14.21 1453011602.135244 5712
    Sun Jan 17 01:36:49 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 183.3.202.110 1453012609.148942 5551
    Sun Jan 17 01:49:02 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 46.151.53.196 1453013342.156512 5706
    Sun Jan 17 02:13:24 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 27.17.8.74 1453014804.164871 5706
    Sun Jan 17 02:15:10 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 166.62.121.53 1453014910.165475 5706
    Sun Jan 17 02:48:24 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 183.3.202.110 1453016904.184513 5551
    Sun Jan 17 05:35:57 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 43.225.237.214 1453026957.233709 5706
    Sun Jan 17 08:17:11 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 200.52.64.233 1453036631.303497 5706
    Sun Jan 17 09:55:40 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 121.183.175.167 1453042540.363468 5551
    Sun Jan 17 10:48:06 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 176.194.103.65 1453045686.396938 5706
    Sun Jan 17 13:07:19 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 166.62.121.53 1453054039.459021 5706
    Sun Jan 17 13:55:10 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 138.59.30.242 1453056910.476350 5706
    Sun Jan 17 14:04:41 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 112.33.7.40 1453057481.478624 5706
    Sun Jan 17 14:56:47 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 86.5.36.197 1453060607.497866 5706
    Sun Jan 17 15:25:07 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 49.156.52.62 1453062307.518599 5712
    Sun Jan 17 15:25:07 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - cosmomedical.com.vn 1453062307.517170 5551
    Sun Jan 17 17:24:40 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 89.248.169.23 1453069480.564149 5712
    Sun Jan 17 23:20:34 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 168.61.221.82 1453090834.83805 5706
    Mon Jan 18 01:43:25 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 188.166.76.57 1453099405.126214 5706
    Mon Jan 18 09:40:14 EST 2016 /var/ossec/active-response/bin/firewall-drop.sh add - 222.186.129.234 1453128014.316691 5551
    root@what:/var/ossec/logs# 
    


  • @ben_lubar said:

    You think nobody would suspect anything if you started over 60 million connections to their server?

    Does it matter that it's one server? What if the same certificate is in used on 100 servers? Like a Facebook.

    And for the record, no, a Facebook wouldn't notice 60 million connections over a couple hours. It wouldn't even blip their analytics.


  • Notification Spam Recipient

    @blakeyrat said:

    Fucking Chinese!

    :giggity:



  • @NedFodder said:

    Stop wasting your time defending this. You're smarter than that.

    Nothing of value was affected by this bug because nobody actally uses Go for anything other than toy vanity projects.


  • Trolleybus Mechanic

    @ben_lubar said:

    You think nobody would suspect anything if you started over 60 million connections to their server?

    The intersection of "People who know how to code" and "people who know how to admin servers" is vanishingly small.

    Especially if it's some whatever server you tossed up there and ran a hobby project on. Maybe you check the admin interface once a month.


Log in to reply