Microsoft Security Bulletin MS98-002 - Critical
Updates Available for the "The Error Message Vulnerability" Against Secured Internet Servers
Published: June 26, 1998 | Updated: July 06, 1998
Last Revision: July 6, 1998
Last week, RSA Data Security, Inc. notified the Microsoft® Product Security Response Team of a vulnerability that affects properly implemented versions of the Secure Socket Layer (SSL) protocol. Daniel Bleichenbacher, a researcher at Bell Labs, the research arm of Lucent Technologies, made this discovery.
The purpose of this bulletin is to inform Microsoft customers of this issue, its applicability to Microsoft products, and the availability of countermeasures that Microsoft has developed to further secure its customers. No customers have currently reported being impacted by this issue. The vulnerability can only affect customers who use the SSL protocol in Microsoft's internet server products.
Please see RSA's announcement on this issue for additional information. A more technical review of the Bleichenbacher's discovery is available from RSA Labs, a division of RSA Data Security, and from Bell Labs.
Description of Issue
Using complex mathematical analysis and some trial and error, Bleichenbacher discovered that an Internet transaction encrypted with SSL could be decoded. This is an issue that requires an updating of Internet server software, not client software such as Microsoft Internet Explorer.
To use this discovered vulnerability as an attack, the attacker must first be able to observe the encrypted transaction between a Web client and a Web server. Once a recording of this encrypted transaction is made, the attacker would then need to send a large number of carefully constructed messages to the original Web server and analyze the responses. After sending approximately one million messages, the attacker could decode the information contained in the single encrypted transaction he had earlier recorded.
This success would not give the attacker an advantage in decoding any other transactions that the server had been made, nor would it necessarily give the attacker an advantage in decoding other transactions performed by the user.
Due to the large number of messages needed, a Web site operator could detect an attack through observations such as abnormal network or CPU utilization.
Unlike some vulnerabilities that can be exploited more quickly by dividing the workload between multiple attacking machines, this attack cannot be divided among attackers to reduce the amount of work or time for an attack. The server is doing all the work, and is the gating factor in the attacker's ability to decode the transaction. The faster an attacker tries to decode the information, the more strain it puts on the server, and the more detectable the attack becomes.
Applicability to Microsoft Software
The Microsoft Product Security Response Team has produced an update that will work with the following Microsoft Internet server software:
- Microsoft Windows NT Server's Internet Information Server 3.0 and 4.0
- Microsoft Site Server 3.0 Commerce Edition
- Microsoft Site Server, Enterprise Edition
- >Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3 and SMTP)
Vulnerability Identifier: CVE-1999-0007
Microsoft's Internet server software provides SSL 2.0, SSL 3.0, PCT 1.0, and TLS 1.0 for securing Internet-based communications. These protocols are implemented in a single file called SCHANNEL.dll, which is shared by the Microsoft Internet server software listed above. Updating this single file will resolve the vulnerability for the above Microsoft server products.
No updates are required for Internet client software, such as Microsoft Internet Explorer.
What Customers Should Do
Only customers that use SSL on their Internet servers need to take action. This issue affects both 40-bit and 128-bit versions of SSL (including SGC). Customers who use the server products listed above, but do not use SSL are not affected and do not need to take action.
Customers who use Microsoft internet client software are not affected and do not need to take any action.
Microsoft strongly recommends that customers using secure SSL Internet services with any of the Microsoft products listed above should update to the latest version of SCHANNEL.dll. More information on obtaining the latest version of SCHANNEL.dll can be found in Microsoft Knowledge Base article 148427, Updates in SCHANNEL.dll, http://support.microsoft.com/default.aspx?scid=kb;en-us;148427&sd=tech
In addition, the following practices can help to improve security further for SSL-enabled Internet servers:
- Change server-side certificates on a periodic basis: By changing the certificate on a server, an attacker can no longer use this vulnerability to decode transactions that were encrypted with the previous private key.
- Use a certificate on only a single system: Sometimes in server farms (large clusters of servers) the same certificate is installed on multiple systems. This is not recommended for the most secure solutions. If multiple servers are configured with the same certificate, an attacker could use the processing strength of each server to try to break a single session, thus reducing the time required for an attacker.
- Monitor normal trend performance and look for changes: Since this attack uses the processing power of the server against itself, regular monitoring of CPU utilization and network traffic could give warning of an attack. For example, watching for a large amount of network traffic from a single source might indicate an attack.
Customers should review their deployments of products using SSL from all vendors and determine if they have any vulnerable implementations.
For more information
There are a number of sources for more information on this issue.
- Microsoft Knowledge Base article 148427, Updates in SChannel.DLL,
- RSA Labs advisory information, http://www.rsasecurity.com/rsalabs/pkcs/workshop/index.html
- Bell Labs, http://www.bell-labs.com
- CERT Advisory CA-98.07.PKCS, http://www.cert.org/advisories/CA-98.07.PKCS.html
- June 26, 1998: Bulletin Created
- July 6, 1998: Updates to hyperlink information, and other minor updates
For additional information on security issues at Microsoft, please visit http://www.microsoft.com/technet/security
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Built at 2014-04-18T13:49:36Z-07:00