New Attack on RC4-Based SSL/TLS Leverages 13-Year-Old Vulnerability

Researchers at Imperva’s Application Defense Center have found a way to leverage a 13-year-old vulnerability in the RC4 cryptographic algorithm to recover partial information from SSL/TLS-protected communications.

The Secure Sockets Layer (SSL) and the newer Transport Layer Security (TLS) cryptographic protocols are designed to provide authentication and secure communications. The protocols often leverage Rivest Cipher 4 (RC4), the most commonly used stream cipher, for protecting traffic.

However, over the past years, experts uncovered several flaws in RC4. Some of these issues made numerous headlines, but the vulnerability leveraged by Imperva in its attacks, dubbed the “Invariance Weakness,” has been in the shadows in the past 13 years, according to researchers.

Building on previous research, Imperva has managed to exploit the vulnerability for plaintext recovery attacks in which an attacker can extract partial data from protected communications, including payment card details, passwords, and session cookies. The attack, dubbed “Bar Mitzvah,” is similar to BEAST (Browser Exploit Against SSL/TLS), but it’s considered more stable.

In an attack scenario described by experts, the attacker intercepts a large number of SSL/TLS connections that use RC4, and waits until a weak key is found. The weak key can then be used to recover partial plain text data. Researchers have determined that one out of every 16 million RC4 keys is weak, and the number of attempts required to mount an attack is estimated to be 1 billion.

A malicious actor can only target the first 100 bytes of protected data. However, even partial data can be useful since it can facilitate brute-force attacks on sensitive information such as session cookies, passwords and credit card numbers, Imperva said.

In the non-targeted, passive version of the Bar Mitzvah attack, the attacker eavesdrops on the inbound traffic to a popular Web application. For every 1 billion connections, he can obtain one piece of sensitive information. However, in this scenario, the collected data belongs to random users and there is no way for the attacker to determine their identity.

An alternative attack scenario involves obtaining the 1 billion connections from a group of victims. This can be achieved by launching a man-in-the-middle attack against multiple users through DNS poisoning or a malicious hotspot.

“The security of RC4 has been questionable for many years, in particular its initialization mechanisms. However, only in recent years has this understanding begun translating into a call to retire RC4,” Imperva researchers wrote in their paper.

The chances of someone’s data getting compromised as a result of such an attack are small, but Imperva believes this vector should not be neglected. That is why the security firm advises administrators to disable RC4 in their apps’ configuration if possible. Users are advised to disable RC4 in their browsers, while browser vendors are urged to consider removing RC4 from their cipher lists. Microsoft, Mozilla and other organizations offer the same advice.

The complete Hacker Intelligence Initiative report from Imperva, titled “Attacking SSL when using RC4: Breaking SSL with a 13-year old RC4 Weakness,” is available online.