Welcome to November 2019’s edition of SSL.com’s Security Roundup, where we present a selection of the month’s developments in SSL/TLS, digital certificates, and network security! In this edition, we’ll be covering:
- TPM-FAIL: newly-discovered vulnerabilities in Intel firmware-based TPM and STMicroelectronics’ TPM chips
- Delegated Credentials for TLS
- Europe’s dearth of IPv4 addresses
- The breaching of multiple domain name registrars
Sirgiu Gatlan at Bleeping Computer reports that a research team from the Worcester Polytechnic Institute, the University of Lübeck, and the University of California, San Diego has uncovered two vulnerabilities in Intel firmware-based TPM (fTPM) and STMicroelectronics’ TPM (Trusted Platform Module) chips.
These vulnerabilities, dubbed TPM-FAIL by the researchers, allow attackers to recover stored private cryptographic keys. On the TPM-FAIL website, the researchers state that:
We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics’ TPM chip. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves.
The attacks demonstrated are practical, as the researchers also claim that
A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes depending on the access level. We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours.
Gatlan notes that “The vulnerable Intel fTPM… is used by the vast majority of computer manufacturers, including but not limited to Dell, HP, and Lenovo,” and is “also widely used by Intel Internet of Things (IoT) Platform family of products used in industry, healthcare, smart cities, and connected vehicles.”
Intel has issued a patch to their fTPM firmware to fix the TPM-FAIL vulnerabilities, and STMicroelectronics has issued a TPM-FAIL resistant TPM chip.
Delegated Credentials for TLS
On November 1, Cloudflare announced support for Delegated Credentials for TLS, a new cryptographic protocol developed in collaboration with Facebook and Mozilla. Delegated credentials are intended to ease SSL/TLS deployment across multiple global endpoints, such as in a content delivery network (CDN). According to Cloudflare, a delegated credential is:
a short-lasting key that the certificate’s owner has delegated for use in TLS. They work like a power of attorney: your server authorizes our server to terminate TLS for a limited time. When a browser that supports this protocol connects to our edge servers we can show it this “power of attorney”, instead of needing to reach back to a customer’s server to get it to authorize the TLS connection. This reduces latency and improves performance and reliability.
Because delegated credentials are periodically pushed to the CDN’s edge servers before the previous credential expires, the system avoids the latency that is associated with pull-based protocols like Keyless SSL. You can read Facebook’s and Mozilla’s announcements about delegated credentials here and here, respectively, and get full details from the IETF draft of the specification.
IPv4 Addresses Running Out
RIPE (Europe’s regional internet registry) announced on November 25 that they have no more IPv4 addresses left
we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.
RIPE says that even though they are out of IPv4 addresses, they will continue to recover more in the future “from organisations that have gone out of business or are closed, or from networks that return addresses they no longer need,” and will dole them out to Local Internet Registries (LIRs) via a waiting list.
Multiple Domain Name Registrars Breached
Steve Dent at Engadget reports that Web.com and it’s subsidiaries NetworkSolutions.com and Register.com were breached by attackers in late August 2019.
According to Web.com, the breach involved a “limited number of its computer systems,” that “no credit card data was compromised,” and that they do not believe that stored, encrypted passwords are vulnerable (but that customers should change them). However, the attackers may have been able to collect contact details such as “name, address, phone numbers, email addresses, and information about the services that we offer to a given account holder.”
Dent notes that the compromise of a domain name register has potentially dire consequences:
For instance, hackers once compromised the domain name registrar of a Brazilian bank and redirected users to lookalike sites that stole their credentials and installed malware. “If your DNS is under the control of cybercriminals, you’re basically screwed,” Kaspersky’s Dmitry Bestuzhev told Wired about the incident.