FREAK

FREAK
CVE-2015-0204 (OpenSSL), CVE-2015-1637 (Schannel), CVE-2015-1067 (Secure Transport)
Date discovered	March 3, 2015; 9 years ago
Discoverer	Schannel and Secure Transport)

FREAK ("Factoring RSA Export Keys") is a

Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.^[1]

Vulnerability

The flaw was found by researchers from

CVE-2015-0204.^[4]

Vulnerable software and devices included

CVE-2015-1067.^[9]

Sites affected by the vulnerability included the US federal government websites fbi.gov, whitehouse.gov and nsa.gov,[10] with around 36% of HTTPS-using websites tested by one security group shown as being vulnerable to the exploit.^[11] Based on geolocation analysis using IP2Location LITE, 35% of vulnerable servers are located in the US.^[12]

Press reports of the exploit have described its effects as "potentially catastrophic"

unintended consequence" of US government efforts to control the spread of cryptographic technology.^[10]

As of March 2015 [update], vendors were in the process of releasing new software that would fix the flaw.

Mozilla Firefox is not vulnerable against this flaw.^[17]

The research paper explaining this flaw has been published at the 36th IEEE Symposium on Security and Privacy and has been awarded the Distinguished Paper award.[18]

References

^ "The Dark Side of Microsoft Windows – Administrative..." BeyondTrust. Retrieved 2023-09-05.
^ B. Beurdouche & al (2015-05-18). "A Messy State of the Union: Taming the Composite State Machines of TLS" (PDF). IEEE Security and Privacy 2015.
^ ^a ^b "State Machine AttACKs against TLS (SMACK TLS)". smacktls.com.
^ "Vulnerability Summary for CVE-2015-0204". NIST. 20 February 2015.
^ Thomas Fox-Brewster (2015-03-03). "What The FREAK? Why Android And iPhone Users Need To Pay Attention To The Latest Hot Vulnerability". Forbes.
^ Steven J. Vaughan-Nichols (2015-03-03). "FREAK: Another day, another serious SSL security hole". ZDNet.
^ Darren Pauli (6 March 2015). "All Microsoft Windows versions are vulnerable to FREAK". The Register.
^ "Microsoft Security Advisory 3046015: Vulnerability in Schannel Could Allow Security Feature Bypass". Microsoft. March 5, 2015.
^ "About the security content of iOS 8.2". apple.com. 23 January 2017.
^ ^a ^b ^c Craig Timberg (2015-03-03). "'FREAK' flaw undermines security for Apple and Google users, researchers discover". Washington Post.
^ ^a ^b Dennis Fisher (2015-03-03). "New FREAK Attack Threatens Many SSL Clients". Threatpost.
^ "FREAK Servers By Country". 2015-03-03.
^ Dan Goodin (3 March 2015). ""FREAK" flaw in Android and Apple devices cripples HTTPS crypto protection". Ars Technica.
^ "About Security Update 2015-002". Apple. March 9, 2015.
^ "About the security content of iOS 8.2". Apple. March 9, 2015.
^ "Microsoft Security Bulletin MS15-031 - Important". Microsoft. March 10, 2015.
^ "Microsoft Admits Windows Users Are Vulnerable to FREAK Attacks". eweek.com.^{[permanent dead link]}
^ "IEEE Distinguished Paper award for A Messy State of the Union: Taming the Composite State Machines of TLS". 2015-05-18.

External links

[1] "The Dark Side of Microsoft Windows – Administrative..." BeyondTrust. Retrieved 2023-09-05.

[state-of-the-union-2] B. Beurdouche & al (2015-05-18). "A Messy State of the Union: Taming the Composite State Machines of TLS" (PDF). IEEE Security and Privacy 2015.

[smacktls.com-3] "State Machine AttACKs against TLS (SMACK TLS)". smacktls.com.

[4] "Vulnerability Summary for CVE-2015-0204". NIST. 20 February 2015.

[5] Thomas Fox-Brewster (2015-03-03). "What The FREAK? Why Android And iPhone Users Need To Pay Attention To The Latest Hot Vulnerability". Forbes.

[zdnet20150303-6] Steven J. Vaughan-Nichols (2015-03-03). "FREAK: Another day, another serious SSL security hole". ZDNet.

[7] Darren Pauli (6 March 2015). "All Microsoft Windows versions are vulnerable to FREAK". The Register.

[8] "Microsoft Security Advisory 3046015: Vulnerability in Schannel Could Allow Security Feature Bypass". Microsoft. March 5, 2015.

[9] "About the security content of iOS 8.2". apple.com. 23 January 2017.

[timberg2015-03-03-10] Craig Timberg (2015-03-03). "'FREAK' flaw undermines security for Apple and Google users, researchers discover". Washington Post.

[fisher2015-03-03-11] Dennis Fisher (2015-03-03). "New FREAK Attack Threatens Many SSL Clients". Threatpost.

[12] "FREAK Servers By Country". 2015-03-03.

[13] Dan Goodin (3 March 2015). ""FREAK" flaw in Android and Apple devices cripples HTTPS crypto protection". Ars Technica.

[14] "About Security Update 2015-002". Apple. March 9, 2015.

[15] "About the security content of iOS 8.2". Apple. March 9, 2015.

[16] "Microsoft Security Bulletin MS15-031 - Important". Microsoft. March 10, 2015.

[17] "Microsoft Admits Windows Users Are Vulnerable to FREAK Attacks". eweek.com.^{[permanent dead link]}

[state-of-the-union-award-18] "IEEE Distinguished Paper award for A Messy State of the Union: Taming the Composite State Machines of TLS". 2015-05-18.

[1]

[4]

[9]

[11]

[12]

[10]

[17]

Vulnerability

See also

References

External links