SSL/TLS Export Cipher "Factoring RSA Export Keys" (FREAK) Vulnerability

Last Update Date: 9 Mar 2015 Release Date: 5 Mar 2015 6312 Views

RISK: High Risk

TYPE: Security software and application - Security Software & Appliance

A vulnerability has been identified in SSL/TLS. The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered, i.e. conduct a key factoring attack to reveal the RSA private key used by the server.

Impact

Information Disclosure

System / Technologies affected

Server and client applications use export grade ciphers (EC).

For the list of affected vendors, please refer to:

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=243585&SearchOrder=4

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

For OpenSSL versions 1.0.1, 1.0.0 and 0.9.8, users should upgrade to 1.0.1k, 1.0.0p and 0.9.8zd respectively: https://www.openssl.org/news/secadv_20150108.txt
For clients:
- Please note the vendor releasing the patch. Currently, you can check whether your browser is affected by visiting this webpage: https://freakattack.com/clienttest.html
For servers:
- Please visit this webpage to check whether your server is vulnerable to the attack: https://tools.keycdn.com/freak
- Please disable the support of export grade and other weak cipher suites. You can refer to this guide for details: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

Vulnerability Identifier

CVE-2015-0204

SSL/TLS Export Cipher "Factoring RSA Export Keys" (FREAK) Vulnerability

Impact

System / Technologies affected

Solutions

Vulnerability Identifier

Source

Related Link