14 DAY TRIAL // Yesterday's OpenSSL updates (1.0.2g and 1.0.1s) not only brought a fix against the already infamous DROWN attack but also patched seven other security flaws, one labeled as high, one moderate, and five as low severity.
Despite being marked as low priority, one of the patched vulnerabilities has the potential to wreak havoc, at least in enterprise or big data environments.
The vulnerability is known as CacheBleed (CVE-2016-0702) and is a simple side-channel attack on OpenSSL setups running on Intel architectures, which is looking for cache-bank conflicts via minute timing variations.
Attack leverages CPU cache banks
A side-channel attack is when attackers watch and analyze data from cryptographic operations performed by a chip, extracting small bits of information at a time, which, when put together, can sometimes recover the encryption key or provide clues about the transiting data.
A cache-bank or bank conflict occurs "when two simultaneous load operations have the same bit 2-5 of their linear address but they are not from the same set in the cache (bits 6-12)."
As Intel further explains, "Since 16-byte loads can cover up to three [cache] banks, and two loads can happen every cycle, it is possible that six of the eight banks may be accessed per cycle, for loads. A bank conflict happens when two load accesses need the same bank (their address has the same 2-4 bit value) in different sets at the same time."
Only Intel CPUs are vulnerable
According to three researchers from universities in Australia, Israel, and the US who discovered the CacheBleed attack, only Intel Sandy Bridge processors are vulnerable, but theoretically, the attack should work on earlier microarchitectures, such as Nehalem and Core 2. The attack does not work on recent Haswell processors.
The researchers say that, during their tests, they managed to recover both 2048-bit and 4096-bit RSA secret keys from an OpenSSL 1.0.2f installation.
They also add that vulnerable versions include all versions of OpenSSL 0.9.7h and up, and that LibreSSL versions between (and including) 2.1.9 and 2.3.1 are also at risk.
First-ever successful cache-bank side-channel attack
The theoretical problem of cache-bank conflicts has been known since 2004, but this is the first time one was carried out in practice.
The vulnerability was rated as low severity because the attacker needs to have access and permissions to run malicious code on the server where OpenSSL is installed.
Researchers agreed with the rating but said the attack is dangerous nevertheless, especially in current-day cloud-based server setups, where the corruption of one server could be leveraged to access encrypted communications for multiple targets that share its resources.