BERserk

Last updated: 2014-10-06

The Advanced Threat Research team at McAfee and Antoine Delignat-Lavaud (INRIA Paris, PROSECCO) have discovered a critical class of vulnerability in ASN.1 parsing used in a certain crypto libraries, including Mozilla NSS. This vulnerability (dubbed BERserk) allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites using SSL/TLS. Authentication mechanisms within firmware on specific devices may be compromised as well, allowing attackers to compromise the integrity of software on the device.

Attack Detail
This is a variant of Daniel Bleichenbacher’s PKCS#1 v1.5 RSA Signature Forgery vulnerability (CVE-2006-4339, http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html ). Due to an incorrect check on signature padding, this new attack variant allows for RSA signatures to be successfully forged without knowledge of the corresponding RSA private key. Attackers are able to “man-in-the-middle” connections that are assumed to be secure (via SSL), allowing them to monitor and intercept data transmitted over that session.

The attack exploits a vulnerability in the parsing of an ASN.1-encoded sequence during signature verification. ASN.1-encoded sequences are made up of objects that are encoded using BER and/or DER. This attack exploits the fact that bytes are skipped during parsing of certain fields. This condition enables the attack.

Part one of our technical analysis of the "BERserk" vulnerability is not vendor- or library-specific. Rather, we provide generic guidance in an effort to allow developers to avoid these issues in future implementations.
Download the paper

Update: October 6, 2014: Part two of our analysis is now available. This update explores the specifics of the attack against Mozilla NSS.
Download part two of the paper

Example
An attacker can forge/spoof the authentication between an end user and their bank website. In such a “man-in-the-middle” scenario, all personal data communicated in the browser session can be intercepted and/or compromised. Both integrity and confidentiality of the data exchanged in that session are at risk. A picture below illustrates this attack against SSL/TLS digital certificates.

The following screenshot demonstrates that SSL/TLS digital certificates (RSA-2048 with SHA-1) are successfully forged using this vulnerability and validated by latest version of Mozilla Firefox web browser.

Additional Q&A
Why is it named BERserk?
This issue is named BERserk because the vulnerability is enabled by the incorrect parsing of certain BER (Basic Encoding Rules) encoded sequences in the implementation of RSA signature verification.
Is this being exploited in-the-wild?
While McAfee is unaware of any attacks exploiting BERserk, we strongly advise individuals and organizations using Firefox to take immediate action to update their browsers with the latest security update from Mozilla.

Additional References