背景

最近有個客戶向我們諮詢關於AWS Elastic Load Balancer的安全問題,聲稱他們用HP Fortify WebInspect審查端口443時,發現該端口含有CVE-2009-3555漏洞。按照經驗,AWS在修補漏洞方面應該極爲迅速,並且會對漏洞做說明,發郵件給用戶才對。我們開始了如下的研究。

首先,該安全團隊對漏洞做了些解釋和解決方案:

解決方案:

深入了解

此CVE-2009-3555與Nov 5 2009被 Marsh Ray 發現。 在Feb 2010, IETF起草修正案RFC5746,該修正案加入對TLS加入了Renegotiation Indication擴展,允許客戶端在發送ClientHello包時加入SCSV或者RI擴展以實施Secured Renegotiation。 安全團隊的Apache Mod-SSL Patch並沒有對RFC5746加以實施,只是對Renegotiation進行了封堵。查看了openssl的CHANGELOG,0.9.8l版本在Nov 5 2009也是進行封堵:

 Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]

     Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
     run-time. This is really not recommended unless you know what
     you're doing.
     [Ben Laurie]

在Nov 11 2009, IETF開始起草修正案,增加了Magic cipher suite (MCSV) 和RI extension. OpenSSL也跟進。最終RFC5746發布, OpenSSL也完成漏洞修補和RFC5746的實施

證明RFC5746實施

在AWS 論壇裏有人針對CVE-2009-3555進行了詢問,有人也給出了回答,但例子中的openssl 0.9.8m並不通過我們的測試,可能原因是我們對SSLv3已經封閉了。對此,我寫了一個patch能對SCSV進行開關,測試如下:

SCSV開啓

[shawn@pacman openssl (master)]$ apps/openssl s_client -connect bev-xxxxxxxx.com:443 
CONNECTED(00000003)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client	<--我們發送SCSV
Empty RI extension received by client			<--伺服器發送給我們RI extension
...
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported			<--因爲有RI extension, 顯示支持Secure Renegotiation
Compression: NONE
Expansion: NONE
No ALPN negotiated
...
---
R
RENEGOTIATING
Non-empty RI extension sent by client			<--按照RFC5746, Renegotiation時需要發送RI extension
Non-empty RI extension received by client		<--伺服器向我們發送RI extension
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
							<--成功

SCSV關閉:

[shawn@pacman openssl (master)]$ apps/openssl s_client -connect bev-xxxxxxxx.com:443 -no_scsv
CONNECTED(00000003)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV is skipped		<--不發送SCSV, 沒有獲得RI extension
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported			<--顯示不支持Secure Renegotiation
Compression: NONE
Expansion: NONE
No ALPN negotiated
...
---
R
RENEGOTIATING						<--我們嘗試Renegotiate
140163421636240:error:14094153:SSL routines:ssl3_read_bytes:no renegotiation:s3_pkt.c:1557:
							<--失敗,斷開鏈接(此處伺服器給出一個TLS Alert,鏈接是客戶端斷開的)

總結

這是一個2010年的漏洞,可能是因爲該安全團隊沒有對掃描器進行升級導致的誤判,也增加了我們對AWS安全的信心。各位可以放心使用。