Weak SSL/TLS Cipher Suits in RWE Smarthome Appliance
- Vendor: RWE AG
- Product: RWE Smarthome
- Affected Version: n/a
- Severity: medium
- Short summary: The web server deployed on the RWE Smarthome appliance reports that it accepts weak cipher suites during SSL/TLS protocol negotiation. The RWE management program (the program based on Microsoft Silverlight) shares the same issue.
The web server deployed on the RWE Smarthome appliance reports that it accepts weak cipher suites during SSL/TLS protocol negotiation. The RWE management program (the program based on Microsoft Silverlight) shares the same issue.
List of accepted cipher suites:
Supported Server Cipher(s): SSLv3 256 bits AES256-SHA SSLv3 128 bits AES128-SHA SSLv3 128 bits RC4-SHA SSLv3 128 bits RC4-MD5 SSLv3 112 bits DES-CBC3-SHA SSLv3 56 bits DES-CBC-SHA SSLv3 40 bits EXP-DES-CBC-SHA RSA 512 bits SSLv3 40 bits EXP-RC2-CBC-MD5 RSA 512 bits SSLv3 40 bits EXP-RC4-MD5 RSA 512 bits TLSv1.0 256 bits AES256-SHA TLSv1.0 128 bits AES128-SHA TLSv1.0 128 bits RC4-SHA TLSv1.0 128 bits RC4-MD5 TLSv1.0 112 bits DES-CBC3-SHA TLSv1.0 56 bits DES-CBC-SHA TLSv1.0 40 bits EXP-DES-CBC-SHA RSA 512 bits TLSv1.0 40 bits EXP-RC2-CBC-MD5 RSA 512 bits TLSv1.0 40 bits EXP-RC4-MD5 RSA 512 bits
Export ciphers should generally be avoided. DES is no longer considered secure, RC4 has known flaws, and known hash collisions exist for MD5. Key sizes of 56 bits and 40 bits respectively can easily be brute-forced on current hardware.
An adversary can use this to downgrade the TLS connection between the RWE management program (the program based on Microsoft Silverlight) and the appliance which can in turn result in a loss of integrity, authenticity and confidentiality for all data transmitted on this connection. The adversary needs to intercept the SERVER_HELLO message from the server, as well as the CLIENT_HELLO message from the client. He then needs to act as a man-in-the-middle who runs one TLS session with the server and one with the client. To both sides, he claims to only accept weak cipher suites. Emulating the client against the server is trivial. Emulating the server against the client is possible due to the downgrade, if the attacker claims to only support e.g., the MD5 digest for which known hash collisions exist. Another alternative would be to downgrade the cipher and break it on the fly.
This attack is rated medium severity, because a successful man-in-the-middle attack still requires noteworthy effort in practice, because it must be done under timing constraints to avoid timeouts on either side.
We note that the management program does not enforce certificate pinning, i.e. accepts all server certificates signed by any CA in the Windows trust store. This gives the attacker more chances to find hash collisions (or to simply exploit an untrusted/rogue CA that was installed on the user’s machine through some other attack).
Prevent access to the network interface of the appliance by isolating it in a separate, protected subnet that is only shared with the computer that runs the management program.
Limit the set of accepted TLS cipher suits on both the client and the server to recommended secure suites. Remove those suites with known security issues. Enforce the server certificate to be signed by a concrete certificate authority (certificate pinning on the CA certificate) instead of just any CA in the Windows trust store.
- 2016-08-26 Vulnerability Discovered
- 2016-08-29 Vulnerability Reported