Microsoft Security Bulletin (MS98-002) ---------------------------------------------------------------------------- Updates available for the "The Error Message Vulnerability" against secured Internet servers Last Revision: July 6, 1998 Last week, RSA Data Security notified the Microsoft Product Security Response Team of a vulnerability that affects properly implemented versions of the SSL protocol. Daniel Bleichenbacher, a researcher at Bell Labs, made this discovery. Bell Labs is the research arm of Lucent Technologies. The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures Microsoft has developed to further secure its customers. No customers have currently reported being impacted by this issue. Only customers who use the SSL protocol in Microsoft's internet server products can be affected by this vunerability. Please see RSA's announcement on this issue for additional information. A more technical review of the Bleichenbacher's discovery is available from RSA Labs, a division of RSA Data Security (http://www.rsa.com/rsalabs), as well as from Bell Labs (http://www.bell-labs.com) Description of Issue By using complex mathematical analysis and some trial and error, Bleichenbacher discovered that an Internet transaction encrypted using SSL could be decoded. This is an issue that requires updating Internet server software, not client software, such as Internet Explorer. To use this discovered vulnerability as an attack, the attacker must first be able to observe the encrypted transaction between a web client and a web server. Once a recording of this encrypted transaction is made, the attacker would then need to send a large number carefully constructed messages to the original web server and analyze the responses. After approximately one million messages, the attacker would be able to decode the information contained in the single encrypted transaction they had earlier recorded. This would not give the attacker an advantage in decoding any other transactions that had been made by the server, nor would it necessarily give the attacker an advantage in decoding any other transactions performed by the user. Due to the large number of messages needed, a web site operator could detect an attack through observations such as abnormal network or CPU utilization. Unlike some vulnerabilities that can be exploited more quickly by dividing the workload between multiple attacking machines, this attack cannot be divided among attackers to reduce the amount of work or time required to complete the attack. This is because the server is doing all the work, and is the gating factor in the attacker being able to decode the transaction. The faster an attacker tries to decode the information, the more of a strain it would put on the server, and the more detectable the attack would become. Applicability to Microsoft Software The Microsoft Product Security Response Team has produced an update that will work with the following Microsoft Internet server software: * Microsoft Internet Information Server 3.0 and 4.0 * Microsoft Site Server 3.0 Commerce Edition * Microsoft Site Server, Enterprise Edition * Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3 and SMTP) Microsoft's Internet server software provides SSL 2.0, SSL 3.0, PCT 1.0, and TLS 1.0 for securing Internet-based communications. These protocols are all implemented in a single file called SCHANNEL.DLL, which is shared by the Microsoft Internet server software listed above. Updating this single file will resolve this vulnerability for these Microsoft server products. No updates are required for Internet client software, such as Internet Explorer. What customers should do Only customers that use SSL on their internet servers need to take action. This issue affects both 40-bit and 128-bit versions of SSL (including SGC). Customers who use the server products listed above, but do not use SSL are not affected and do not need to take any action. Customers who use Microsoft internet client software are not affected and do not need to take any action. Microsoft strongly recommends that customers using secure SSL Internet services with any of the Microsoft products listed above should update to the latest version of SCHANNEL.DLL. More information on obtaining the latest version of SCHANNEL.DLL can be found in Microsoft Knowledge Base article Q148427, Updates in SChannel.DLL, http://support.microsoft.com/support/kb/articles/q148/4/27.asp In addition, the following practices can help to further improve security for SSL-enabled Internet servers: * Change server-side certificates on a periodic basis: By changing the certificate on a server, an attacker will no longer be able to use this vulnerability to decode transactions that were encrypted with the previous private key. * Use a certificate on only a single system: Sometimes in server farms (large clusters of servers) the same certificate is installed on multiple systems. This is not recommended for the most secure solutions. If multiple servers are configured with the same certificate, an attacker could use the processing strength of each server to try to break a single session, thus reducing the time required. * Monitor normal trend performance and look for changes: Since this attack uses the processing power of the server against itself, regular monitoring of CPU utilization and network traffic could give warning of an attack. For example, watching for a large amount of network traffic from a single source might indicate an attack. Customers should review their deployments of products using SSL from all vendors and determine if they have any vulnerable implementations. Bulletin Revision Information * June 26, 1998: Bulletin Created * July 6, 1998: Updates to hyperlink information, and other minor updates For more information There are a number of sources for more information on this issue. * Microsoft Knowledge Base article Q148427, Updates in SChannel.DLL, http://support.microsoft.com/support/kb/articles/q148/4/27.asp * RSA Labs advisory information, http://www.rsa.com/rsalabs/pkcs1/ * Bell Labs, http://www.bell-labs.com * CERT Advisory CA-98.07.PKCS, http://www.cert.org/advisories/CA-98.07.PKCS.html For additional information on security issues at Microsoft, please visit www.microsoft.com/security ---------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. © 1998 Microsoft and/or its suppliers. All rights reserved. For Terms of Use see http://support.microsoft.com/support/misc/cpyright.asp.