Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

VPN, Web Sessions Exposed to DUHK Crypto Attack

A vulnerability in the outdated ANSI X9.31 random number generator (RNG) can allow attackers to recover encryption keys and read data passing through VPN connections and encrypted web browser sessions, researchers warned.

A vulnerability in the outdated ANSI X9.31 random number generator (RNG) can allow attackers to recover encryption keys and read data passing through VPN connections and encrypted web browser sessions, researchers warned.

The vulnerability has been dubbed DUHK (Don’t Use Hard-coded Keys) and it has been found to affect the products of at least a dozen vendors. The issue was discovered by cryptography experts Shaanan Cohney, Nadia Heninger, and Matthew Green.

ANSI X9.31 is a pseudorandom number generator that was standardized in 1985 and it was compliant with the Federal Information Processing Standards (FIPS) requirements until January 2016. The RNG relies on a static key to generate random numbers and that key must remain secret in order for the system to be secure.DUHK attack

However, some companies implemented X9.31 with a static key that has been stored directly in the source code of the product. This allows an attacker to obtain the key from the application’s source code or binary and use it to decrypt communications associated with that product.

In some cases, an attacker may be able to recover the private key in just a few seconds via the DUHK attack, which works only if the RNG is used directly to generate crypto keys and if the attacker can obtain some of the generated numbers.

The weakness has been known since 1998, but neither NIST nor entities involved in the FIPS standardization process specified a method for securely generating the key.

An analysis of hundreds of products that implemented the X9.31 RNG revealed that 12 of them had used static hardcoded keys in the source code, leaving their users vulnerable to attacks.

The list of affected products included the BeCrypt Cryptographic Library, Cisco Aironet, DeltaCrypt FIPS Module, Fortinet’s FortiOS, MRV Communications’ LX-4000T/LX-8020S, Neoscale’s CryptoStor, Neopost’s Postal Security Devices, Renesas’ AE57C1, TechGuard’s PoliWall-CCF, Tendyron’s OnKey193, ViaSat’s FlagStone Core, and the Vocera Cryptographic Module. Many of the affected vendors have since removed the use of X9.31 from their products.

The researchers tested the practicality of the attack method against Fortinet’s FortiGate VPN gateway products, which run the FortiOS operating system. An Internet scan conducted this month showed that there are more than 25,000 Fortinet devices that are vulnerable and exploitable.

Advertisement. Scroll to continue reading.

“And this count is likely conservative, since these were simply the devices that bothered to answer us when we scanned. A more sophisticated adversary like a nation-state would have access to existing VPN connections in flight,” Green explained in a blog post.

The vulnerability affects Fortinet devices running FortiOS versions 4.3.0 through 4.3.18. The vendor addressed the issue, which it tracks as CVE-2016-8492, last year with the release of versions 4.3.19 and 5.0.

There is no evidence of DUHK attacks in the wild and the researchers who discovered the flaw say they don’t plan on releasing any code used in their implementation of the method.

Furthermore, while the actual key recovery might be easy, a real-world attack exploiting this vulnerability is difficult to conduct. However, the flaw could be highly useful for a state-sponsored actor such as the NSA, which has far greater capabilities compared to the average threat group. It’s also worth mentioning that the attack is passive so it would not be easy to detect, researchers said.

A few years ago, the NSA was accused of promoting the use of the backdoored Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG). However, experts have now pointed out that Dual EC was not as widely used as X9.31.

Related: Tech Giants Warn of Crypto Flaw in Infineon Chips

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...