SIK-2016-049


Title:

Weak SSL/TLS Cipher Suits in RWE Smarthome Appliance

Report ID

SIK-2016-049

Summary:

  • Vendor: RWE AG
  • Product: RWE Smarthome
  • Affected Version: n/a
  • Severity: medium
  • Short summary: The web server deployed on the RWE Smarthome appliance reports that it accepts weak cipher suites during SSL/TLS protocol negotiation. The RWE management program (the program based on Microsoft Silverlight) shares the same issue.

Details:

The web server deployed on the RWE Smarthome appliance reports that it accepts weak cipher suites during SSL/TLS protocol negotiation. The RWE management program (the program based on Microsoft Silverlight) shares the same issue.

List of accepted cipher suites:

Supported Server Cipher(s):
SSLv3    256 bits  AES256-SHA
SSLv3    128 bits  AES128-SHA
SSLv3    128 bits  RC4-SHA
SSLv3    128 bits  RC4-MD5
SSLv3    112 bits  DES-CBC3-SHA
SSLv3    56 bits   DES-CBC-SHA
SSLv3    40 bits   EXP-DES-CBC-SHA               RSA 512 bits
SSLv3    40 bits   EXP-RC2-CBC-MD5               RSA 512 bits
SSLv3    40 bits   EXP-RC4-MD5                   RSA 512 bits
TLSv1.0  256 bits  AES256-SHA
TLSv1.0  128 bits  AES128-SHA
TLSv1.0  128 bits  RC4-SHA
TLSv1.0  128 bits  RC4-MD5
TLSv1.0  112 bits  DES-CBC3-SHA
TLSv1.0  56 bits   DES-CBC-SHA
TLSv1.0  40 bits   EXP-DES-CBC-SHA               RSA 512 bits
TLSv1.0  40 bits   EXP-RC2-CBC-MD5               RSA 512 bits
TLSv1.0  40 bits   EXP-RC4-MD5                   RSA 512 bits

Export ciphers should generally be avoided. DES is no longer considered secure, RC4 has known flaws, and known hash collisions exist for MD5. Key sizes of 56 bits and 40 bits respectively can easily be brute-forced on current hardware.

An adversary can use this to downgrade the TLS connection between the RWE management program (the program based on Microsoft Silverlight) and the appliance which can in turn result in a loss of integrity, authenticity and confidentiality for all data transmitted on this connection. The adversary needs to intercept the SERVER_HELLO message from the server, as well as the CLIENT_HELLO message from the client. He then needs to act as a man-in-the-middle who runs one TLS session with the server and one with the client. To both sides, he claims to only accept weak cipher suites. Emulating the client against the server is trivial. Emulating the server against the client is possible due to the downgrade, if the attacker claims to only support e.g., the MD5 digest for which known hash collisions exist. Another alternative would be to downgrade the cipher and break it on the fly.

This attack is rated medium severity, because a successful man-in-the-middle attack still requires noteworthy effort in practice, because it must be done under timing constraints to avoid timeouts on either side.

We note that the management program does not enforce certificate pinning, i.e. accepts all server certificates signed by any CA in the Windows trust store. This gives the attacker more chances to find hash collisions (or to simply exploit an untrusted/rogue CA that was installed on the user’s machine through some other attack).

Workaround

Prevent access to the network interface of the appliance by isolating it in a separate, protected subnet that is only shared with the computer that runs the management program.

Suggested Mitigation

Limit the set of accepted TLS cipher suits on both the client and the server to recommended secure suites. Remove those suites with known security issues. Enforce the server certificate to be signed by a concrete certificate authority (certificate pinning on the CA certificate) instead of just any CA in the Windows trust store.

Timeline

  • 2016-08-26 Vulnerability Discovered
  • 2016-08-29 Vulnerability Reported