Hackers have found a way to exploit a piece of side-channel information in order to downgrade most of the current TLS implementations.
Researchers have named this new cyber attack, padding oracle attack because it uses the padding – dummy data – by adding plaintext in order to make it fit into the block size required for the ciphertext. A padding oracle is a function that leaks the validity of the padding.
By knowing whether or not the padding is valid, the hacker facilitates the recovery of the plaintext from the ciphertext.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
Researchers say that this new CAT attack, rely on similar techniques which are involved in the Spectre and Meltdown work.
The FLUSH+RELOAD is done when the hacker flushes and reloads a part of the CPU cache while the victim is accessing the same area of cached memory.
The researchers found that using a FLUSH+RELOAD attack, with a CPU branch prediction and a technique called Browser Exploit Against SSL/TLS (BEAST), the hacker is able to break the TLS implementations in seven of nine popular packages.
This new technique involves running multiple padding oracle attacks in parallel. By bypassing TLS like this the hacker can steal a victim’s authentication token to access an online account like Gmail.
The same technique can crack OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, GnuTLS, BearSSL, and BoringSSL.
Any software using the above vulnerable libraries, particularly OpenSSL and CoreTLS, is at risk of surveillance by hackers.
HTTPS was the golden standard for web traffic security, but its days are over thanks to a quirk of TLS that can smash any web privacy.
Researchers are saying that we need to get rid of support for RSA key transport in the Public Key Cryptography Standard #1 (PKCS #1), which now represents a major risk.
Thanks to this fact the RSA key transport has already been excluded from TLS 1.3. But it’s still used in about 6% of TLS connections. Keep in mind that any TLS connection that is affected by the vulnerable implementations can be downgraded. So the CAT attack will need to be patched.
Even if the RSA key exchange is declining, padding oracles can be used to mount downgrade attacks, posing them as a threat to the cybersecurity of a much larger number of connections.
The flaws identified, in these new attacks, are the following CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869, and CVE-2018-16870.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor the cybersecurity world. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.