Title

Private key leak via weak OpenSSL PRNG handling with FORK threading

Description

The affected versions of stunnel, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for ECDSA or DSA certificates.

When accepting a new connection, the server forks and the child process handles the request. The RAND_bytes() function of OpenSSL does not reset its state after the fork, but simply adds the current PID to the PRNG state, which is not guaranteed to be unique. OpenSSL also seeds the PRNG with the output of time(NULL), which means that vulnerability has to be exploited under a second.

However, mitigations implemented into OpenSSL 0.9.8j make the vulnerability not exploitable in the stock OpenSSL. The signing code for ECDSA and DSA explicitly seeds the pool with the digest to sign. The signing code of the OpenSSL FIPS module does not have that mitigation, but more recent versions of OpenSSL use a high resolution timer to seed DRBG.

Exploitability

The vulnerability is exploitable under the following conditions:

• stunnel versions 2.00 to 4.56 inclusive.
• FORK threading used:
  • stunnel older than 3.0;
  • FORK threads autodetected, or
  • FORK threads selected with "--with-threads=fork".
• ECDSA or DSA certificates used.
• OpenSSL versions earlier than 0.9.8j, or FIPS mode.

Impact

An attacker may be able to extract the private ECDSA or DSA key.

CVSS v2 Score

• CVSS Base Score: 2.6
  • Impact Subscore: 2.9
  • Exploitability Subscore: 4.9
• CVSS Temporal Score: 2.1
• Overall CVSS Score: 2.1

CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)

Recommendation

Upgrade to stunnel 4.57 or later, or rebuild stunnel with a different threading mode.

Credits

• Vulnerability discovery: Aris Adamantiadis
• This report: Aris Adamantiadis, Michał Trojnara