Lessons (to be) Learned from Handling OpenSSL Vulnerabilities コーディネーションセンター 情報通対策グループ 脆弱性解析チームリーダー 久保 正樹 20141122
Lessons (to be) Learned from Handling OpenSSL Vulnerabilities
+1$&35
20141122
Copyright2014 JPCERT/CC All rights reserved. 1
+1$&35$$0QFO44-
Copyright2014 JPCERT/CC All rights reserved.
OpenSSL ! (SSL/TLS/DTLS) ! ! Apache License 1.0 ! LibreSSL (OpenBSD) boringssl (Google)
! !
Android (SSLSocketFactory), Chrome for Android
2
Copyright2014 JPCERT/CC All rights reserved.
SSL/TLS (2014)! OpenSSL
3
48 JVNVU#94401838 OpenSSL heartbeat
66 JVN#61247051 OpenSSL Change Cipher Spec
811 JVNVU#93614707 OpenSSL
1016 JVNVU#98283300 SSLv3 (POODLE )
Copyright2014 JPCERT/CC All rights reserved.
SSL/TLS (2014)!
JVN11 Android
! SslError US(FTC)2
! 2014 JPCERT SSL/TLS
https://k-of.jp/2014/session/563
4
Copyright2014 JPCERT/CC All rights reserved. 5
20
5 7
8 8
11
3 3 5
1 4
7
4
2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2004 2003 2002 0
5
10
15
20
25
OpenSSL
()
IUUQTXXXPQFOTTMPSHOFXTWVMOFSBCJMJUJFTIUNM
Copyright2014 JPCERT/CC All rights reserved.
6
IPA ()
JPCERT/CC()
JVN()
SIer
CERT/CCNCSC-FI
()
Copyright2014 JPCERT/CC All rights reserved.
5IF)FBSUCMFFE#VH
7
Copyright2014 JPCERT/CC All rights reserved.
Heartbleed ! TLS ! OpenSSL 1.0.1 ! Codenomicon
8
Copyright2014 JPCERT/CC All rights reserved.
+1$&35
9
46() 20:08 NCSC-FI Jussi
FI OpenSSL 2
CVE
47() 16 NCSC-FI JPCERT/CC22:24 CERT/CC vultures
CVE-2014-0346
65$
+7/
49() 15:46 IIJ VS
411() 12:48 VS
48() 08:18 09:48 CERT/CC 11:42 CERT/CC OpenSSL Cloudflare 15:00 JVN 50
Copyright2014 JPCERT/CC All rights reserved.
0QFO44-
10
46() 20:08 NCSC-FI Jussi
FI OpenSSL 2
CVE
47() 16 NCSC-FI JPCERT/CC22:24 CERT/CC vultures
CVE-2014-0346
65$
49() 15:46 IIJ VS
411() 12:48 VS
41 Google OpenSSL Google
47 14:56 OpenSSL Red Hat 15:10 Red Hat oss-security distros 9 OpenSSL distro 17:15 SuSE 17:16 Debian 17:49 FreeBSD 19:00 AltLinux 20:30 Ubuntu () 23:14 Gentoo ()
48() 08:18 09:48 CERT/CC 11:42 CERT/CC OpenSSL Cloudflare 15:00 JVN 50
48() 00:19 FI Mark Cox / Ben Laurie Codenomicon 01:11 OpenSSL 2
02:25 OpenSSL 03:39 OpenSSL
Copyright2014 JPCERT/CC All rights reserved.
! 0QFO44--JOVY%JTUSP3FE)BU4V4&%FCJBO'SFF#4%"MU-JOVY EJTUSP PTTTFDVSJUZ
! "LBNBJ$MPVEBSF'BDFCPPL(PPHMF
! 5IF4ZEOFZ.PSOJOH)FSBME)FBSUCMFFEEJTDMPTVSFUJNFMJOFXIPLOFXXIBUBOEXIFO
11
Copyright2014 JPCERT/CC All rights reserved.
Lessons Learned! (JPCERT, CERT/CC, NCSI-FI)
! OpenSSL
12
Copyright2014 JPCERT/CC All rights reserved.
$$4*OKFDUJPO7VMOFSBCJMJUZ
13
Copyright2014 JPCERT/CC All rights reserved.
CCS Injection ! (
)change_cipher_spec
!
! OpenSSL http://www.iij-ii.co.jp/lab/seminars/
14
Copyright2014 JPCERT/CC All rights reserved. 15
CCS Injection
Copyright2014 JPCERT/CC All rights reserved.
SSL/TLS
16
Copyright2014 JPCERT/CC All rights reserved.
+1$&35
17
*1"
0QFO44- $&35$$
$&35$$ /$4$'*
0QFO44-/$4$'* +7/XEBZTEBZT
Copyright2014 JPCERT/CC All rights reserved. 18
+1$&35
$&35$$
/$4$'*
*1"
ML (oss-distros)
-JOVY'SFF#4%
CCS Injection
Copyright2014 JPCERT/CC All rights reserved.
1
19
OpenSSL OpenSSL JPCERT
Copyright2014 JPCERT/CC All rights reserved.
1OpenSSL 1. OpenSSL 2. JPCERT JVN 3. oss-security ML
OpenSSL
JVN JPCERT/CC CERT/CC
ex. POODLE20
Copyright2014 JPCERT/CC All rights reserved.
2
21
1
+1$&35$$044 044 044
0QFO44-
Copyright2014 JPCERT/CC All rights reserved.
2! 044#*/%"QBDIF5PNDBU
!
22
Copyright2014 JPCERT/CC All rights reserved.
Lessons (to be) Learned
23
Copyright2014 JPCERT/CC All rights reserved.
+1$&35
!
OpenSSL OpenSSL 61
!
24
Copyright2014 JPCERT/CC All rights reserved.
+1$&35
! IIJ IIJ
25
Copyright2014 JPCERT/CC All rights reserved.
+1$&350QFO44-
! IPA/JPCERTCERT/CCOpenSSL3
OpenSSL x 3++ !
26
Copyright2014 JPCERT/CC All rights reserved.
+1$&35$&35$$]/$4$'*
! ML (vultures)
! Next vultures F2F meeting 2015@RSA Conference US Vendor
27
Copyright2014 JPCERT/CC All rights reserved.
! JPCERT/CC, IPA CERT3
! JPCERT/CC, CERT/CC, NCSC-FI NDA
! JPCERT/CC CVE
! Adobe, Apple, Google, Android, OpenSSL etc
! JPCERT/CC Responsible Disclosure
28
Copyright2014 JPCERT/CC All rights reserved.
OSS! 2
!
!
acknowledge 29
Copyright2014 JPCERT/CC All rights reserved.
OpenSSL
30
Copyright2014 JPCERT/CC All rights reserved.
0QFO44-4FDVSJUZ1PMJDZ
! IUUQTXXXPQFOTTMPSHBCPVUTFDQPMJDZIUNM
! Y
! 04EJTUSP
31
Copyright2014 JPCERT/CC All rights reserved.
*4$7VMOFSBCJMJUZ%JTDMPTVSF1PMJDZ
! *4$ 7VMOFSBCJMJUZ%JTDMPTVSF1PMJDZ
! #FGPSF+1$&35
! "GUFS%/4 04
! +1$&35$$ *4$ "1$&351BD$&35"GSJDB$&35
! IUUQTLCJTDPSHBSUJDMF""
32
Copyright2014 JPCERT/CC All rights reserved. 33
5IBOLZPV
Copyright2014 JPCERT/CC All rights reserved.
OpenSSL Security Policy Last modified 7th September 2014
34
Copyright2014 JPCERT/CC All rights reserved.
*OUSPEVDUJPO3FDFOUBXTIBWFDBQUVSFEUIFBUUFOUJPOPGUIFNFEJBBOEIJHIMJHIUFEIPXNVDIPGUIFJOUFSOFUJOGSBTUSVDUVSFJTCBTFEPO0QFO44-8FWFOFWFSQVCMJTIFEPVSQPMJDZPOIPXXFJOUFSOBMMZIBOEMFTFDVSJUZJTTVFTUIBUQSPDFTTCFJOHCBTFEPOFYQFSJFODFBOEIBTFWPMWFEPWFSUIFZFBST0QFO44-0QFO44-0QF44-
35
Copyright2014 JPCERT/CC All rights reserved.
3FQPSUJOHTFDVSJUZJTTVFT
8FIBWFBOFNBJMBEESFTTXIJDIDBOCFVTFEUPOPUJGZVTPGQPTTJCMFTFDVSJUZWVMOFSBCJMJUJFT"TVCTFUPG0QFO44-UFBNNFNCFSTSFDFJWFUIJTNBJMBOENFTTBHFTDBOCFTFOUVTJOH1(1FODSZQUJPO'VMMEFUBJMTBSFBUIUUQTXXXPQFOTTMPSHOFXTWVMOFSBCJMJUJFTIUNM0QFO44-1(1 IUUQTXXXPQFOTTMPSHOFXTWVMOFSBCJMJUJFTIUNM8IFOXFBSFOPUJFEBCPVUBOJTTVFXFFOHBHFSFTPVSDFTXJUIJOUIF0QFO44-UFBNUPJOWFTUJHBUFBOEQSJPSJUJTFJU8FNBZBMTPVUJMJTFSFTPVSDFTGSPNUIFFNQMPZFSTPGPVSUFBNNFNCFSTBTXFMMBTPUIFSTXFIBWFXPSLFEXJUICFGPSF0QFO44-PQFOTTMTFDVSJUZ!PQFOTTMPSH LFZ*%"0QFO44-$PSFBOE%FWFMPQNFOU5FBN1(1
36
Copyright2014 JPCERT/CC All rights reserved.
#BDLHSPVOE&WFSZPOFXPVMEMJLFUPHFUBEWBODFOPUJDFPGTFDVSJUZJTTVFTJO0QFO44-5IJTJTBDPNQMFYUPQJDBOEXFOFFEUPTFUPVUTPNFCBDLHSPVOEXJUIPVSOEJOHT 0QFO44-
5IFNPSFQFPQMFZPVUFMMJOBEWBODFUIFIJHIFSUIFMJLFMJIPPEUIBUBMFBLXJMMPDDVS8FIBWFTFFOUIJTIBQQFOCFGPSFCPUIXJUI0QFO44-BOEPUIFSQSPKFDUT0QFO44-
"IVHFOVNCFSPGQSPEVDUTGSPNBOFRVBMMZMBSHFOVNCFSPGPSHBOJTBUJPOTVTF0QFO44-*UTOPUKVTUTFDVSFXFCTJUFTZPVSFKVTUBTMJLFMZUPOE0QFO44-JOTJEFZPVSTNBSU57DBSPSGSJEHF 0QFO44-0QFO44-57
8FTUSPOHMZCFMJFWFUIBUUIFSJHIUUPBEWBODFQBUDIFTJOGPTIPVMEOPUCFCBTFEJOBOZXBZPOQBJENFNCFSTIJQUPTPNFGPSVN:PVDBOOPUQBZVTUPHFUTFDVSJUZQBUDIFTJOBEWBODF
8FDBOCFOFUGSPNQFFSSFWJFXPGUIFQBUDIFTBOEBEWJTPSZ,FFQJOHTFDVSJUZJTTVFTQSJWBUFNFBOTUIFZDBOUHFUUIFMFWFMPGUFTUJOHPSTDSVUJOZUIBUUIFZPUIFSXJTFXPVME
*UJTOPUBDDFQUBCMFGPSPSHBOJTBUJPOTUPVTFBEWBODFOPUJDFJONBSLFUJOHBTBDPNQFUJUJWFBEWBOUBHF'PSFYBNQMFJGZPVIBECPVHIUPVSQSPEVDUVTFEPVSTFSWJDFZPVXPVMEIBWFCFFOQSPUFDUFEBXFFLBHP
37
Copyright2014 JPCERT/CC All rights reserved.
#BDLHSPVOE5IFSFBSFBDUVBMMZOPUBMBSHFOVNCFSPGTFSJPVTWVMOFSBCJMJUJFTJO0QFO44-XIJDINBLFJUXPSUITQFOEJOHTJHOJDBOUUJNFLFFQJOHPVSPXOMJTUPGWFOEPSTXFUSVTUPSTJHOJOHGSBNFXPSLBHSFFNFOUTPSEFBMJOHXJUIDIBOHFTBOEQPMJDJOHUIFQPMJDZ5IJTJTBTJHOJDBOUBNPVOUPGFPSUQFSJTTVFUIBUJTCFUUFSTQFOUPOPUIFSUIJOHT 0QFO44-
8FIBWFQSFWJPVTMZVTFEUIJSEQBSUJFTUPIBOEMFOPUJDBUJPOGPSVTJODMVEJOH$1/*P$&35PS$&35$$CVUOPOFXFSFTVJUBCMF $1/*P$&35$&35$$*UTJOUIFCFTUJOUFSFTUTPGUIF*OUFSOFUBTBXIPMFUPHFUYFTGPS0QFO44-TFDVSJUZJTTVFTPVURVJDLMZ0QFO44-FNCBSHPFTTIPVMECFNFBTVSFEJOEBZTBOEXFFLTOPUNPOUITPSZFBST0QFO44-0QFO44-
.BOZTJUFTBFDUFECZ0QFO44-JTTVFTXJMMCFSVOOJOHBWFSTJPOPG0QFO44-UIFZHPUGSPNTPNFWFOEPSBOEMJLFMZCVOEMFEXJUIBOPQFSBUJOHTZTUFN5IFNPTUFFDUJWFXBZGPSUIFTFTJUFTUPHFUQSPUFDUFEJTUPHFUBOVQEBUFEWFSTJPOGSPNUIBUWFOEPS4JUFTXIPVTFUIFJSPXO0QFO44-DPNQJMBUJPOTTIPVMECFBCMFUPIBOEMFBRVJDLQBUDIBOESFDPNQJMFPODFUIFJTTVFJTQVCMJD0QFO44-0QFO44-040QFO44-
38
Copyright2014 JPCERT/CC All rights reserved.
0QFO44-*OUFSOBMIBOEMJOHPGTFDVSJUZJTTVFT5IJTMFBETVTUPPVSQPMJDZGPSTFDVSJUZJTTVFTOPUJFEUPVTPSGPVOECZPVSUFBNXIJDIBSFOPUZFUQVCMJDQSJWBUFNFBOTLFQUXJUIJOUIF0QFO44-EFWFMPQNFOUUFBNQSJWBUF 0QFO44-8FXJMMEFUFSNJOFUIFSJTLPGFBDIJTTVFCFJOHBEESFTTFE8FXJMMUBLFJOUPBDDPVOUPVSFYQFSJFODFEFBMJOHXJUIQBTUJTTVFTWFSTJPOTBFDUFEDPNNPOEFGBVMUTBOEVTFDBTFT8FEJWJEFUIFJTTVFTJOUPUIFGPMMPXJOHDBUFHPSJFT
39
Copyright2014 JPCERT/CC All rights reserved.
0QFO44-*OUFSOBMIBOEMJOHPGTFDVSJUZJTTVFT MPXTFWFSJUZJTTVFT5IJTJODMVEFTJTTVFTTVDIBTUIPTFUIBUPOMZBFDUUIFPQFOTTMDPNNBOEMJOFVUJMJUZVOMJLFMZDPOHVSBUJPOTPSIBSEUPFYQMPJUUJNJOHTJEFDIBOOFMBUUBDLT5IFTFXJMMJOHFOFSBMCFYFEJNNFEJBUFMZJOMBUFTUEFWFMPQNFOUWFSTJPOTBOENBZCFCBDLQPSUFEUPPMEFSWFSTJPOTUIBUBSFTUJMMHFUUJOHVQEBUFT8FXJMMVQEBUFUIFWVMOFSBCJMJUJFTQBHFBOEOPUFUIFJTTVF$7&JOUIFDIBOHFMPHBOEDPNNJUNFTTBHFCVUUIFZNBZOPUUSJHHFSOFXSFMFBTFT
PQFOTTMDIBOHFMPH$7&
NPEFSBUFTFWFSJUZJTTVFT5IJTJODMVEFTJTTVFTMJLFDSBTIFTJODMJFOUBQQMJDBUJPOTBXTJOQSPUPDPMTUIBUBSFMFTTDPNNPOMZVTFETVDIBT%5-4
BOEMPDBMBXT5IFTFXJMMJOHFOFSBMCFLFQUQSJWBUFVOUJMUIFOFYUSFMFBTFBOEUIBUSFMFBTFXJMMCFTDIFEVMFETPUIBUJUDBOSPMMVQTFWFSBMTVDIBXTBUPOFUJNF
%5-4
IJHITFWFSJUZJTTVFT5IJTJODMVEFTJTTVFTBFDUJOHDPNNPODPOHVSBUJPOTXIJDIBSFBMTPMJLFMZUPCFFYQMPJUBCMF&YBNQMFTJODMVEFBTFSWFS%P4BTJHOJDBOUMFBLPGTFSWFSNFNPSZBOESFNPUFDPEFFYFDVUJPO5IFTFJTTVFTXJMMCFLFQUQSJWBUFBOEXJMMUSJHHFSBOFXSFMFBTFPGBMMTVQQPSUFEWFSTJPOT8FXJMMBUUFNQUUPLFFQUIFUJNFUIFTFJTTVFTBSFQSJWBUFUPBNJOJNVNPVSBJNXPVMECFOPMPOHFSUIBOBNPOUIXIFSFUIJTJTTPNFUIJOHVOEFSPVSDPOUSPMBOETJHOJDBOUMZRVJDLFSJGUIFSFJTBTJHOJDBOUSJTLPSXFBSFBXBSFUIFJTTVFJTCFJOHFYQMPJUFE
%P4
40
Copyright2014 JPCERT/CC All rights reserved.
0QFO44-*OUFSOBMIBOEMJOHPGTFDVSJUZJTTVFT%VSJOHUIFJOWFTUJHBUJPOPGJTTVFTXFNBZXPSLXJUIJOEJWJEVBMTBOEPSHBOJTBUJPOTXIPBSFOPUPOUIFEFWFMPQNFOUUFBN8FEPUIJTCFDBVTFQBTUFYQFSJFODFIBTTIPXOUIBUUIFZDBOBEEWBMVFUPPVSVOEFSTUBOEJOHPGUIFJTTVFBOEUIFBCJMJUZUPUFTUQBUDIFT*ODBTFTXIFSFQSPUPDPMTBSFBFDUFEUIJTJTUIFCFTUXBZUPNJUJHBUFUIFSJTLUIBUBQPPSMZSFWJFXFEVQEBUFDBVTFTTJHODJBOUCSFBLBHFPSUPEFUFDUJGJTTVFTBSFCFJOHFYQMPJUFEJOUIFXJME8FIBWFBTUSJDUQPMJDZPOXIBUUIFTFPSHBOJTBUJPOTBOEJOEJWJEVBMTDBOEPXJUIUIFJOGPSNBUJPOBOEXJMMSFWJFXUIFOFFEPOBDBTFCZDBTFCBTJT
41
Copyright2014 JPCERT/CC All rights reserved.
1SFOPUJDBUJPOQPMJDZ8IFSFXFBSFQMBOOJOHBOVQEBUFUIBUYFTTFDVSJUZJTTVFTXFXJMMOPUJGZUIFPQFOTTMBOOPVODFMJTUBOEVQEBUFUIFIPNFQBHFUPHJWFPVSTDIFEVMFEVQEBUFSFMFBTFEBUFBOEUJNFBOEUIFTFWFSJUZPGJTTVFTCFJOHYFECZUIFVQEBUF/PGVUIFSJOGPSNBUJPOBCPVUUIFJTTVFTXJMMCFHJWFO5IJTJTUPBJEPSHBOJTBUJPOTUIBUOFFEUPFOTVSFUIFZIBWFTUBBWBJMBCMFUPIBOEMFUSJBHJOHPVSBOOPVODFNFOUBOEXIBUJUNFBOTUPUIFJSPSHBOJTBUJPOPQFOTTMBOOPVODF'PSVQEBUFTUIBUJODMVEFIJHITFWFSJUZJTTVFTXFXJMMBMTPQSFOPUJGZXJUINPSFEFUBJMTBOEQBUDIFT0VSQPMJDZJTUPMFUUIFPSHBOJTBUJPOTUIBUIBWFBHFOFSBMQVSQPTF04UIBUVTFT0QFO44-IBWFBGFXEBZTOPUJDFJOPSEFSUPQSFQBSFQBDLBHFTGPSUIFJSVTFSTBOEGFFECBDLUFTUSFTVMUT0QFO44-0404
42
Copyright2014 JPCERT/CC All rights reserved.
1SFOPUJDBUJPOQPMJDZ8FVTFUIFNBJMJOHMJTUEFTDSJCFEBUIUUQPTTTFDVSJUZPQFOXBMMPSHXJLJNBJMJOHMJTUTEJTUSPTGPSUIJT8FNBZBMTPJODMVEFPUIFSPSHBOJTBUJPOTUIBUXPVMEPUIFSXJTFRVBMJGZGPSMJTUNFNCFSTIJQ8FNBZXJUIESBXOPUJGZJOHJOEJWJEVBMPSHBOJTBUJPOTGSPNGVUVSFQSFOPUJDBUJPOTJGUIFZMFBLJTTVFTCFGPSFUIFZBSFQVCMJDPSPWFSUJNFEPOPUBEEWBMVFWBMVFDBOCFBEEFECZQSPWJEJOHGFFECBDLDPSSFDUJPOTUFTUSFTVMUTFUDIUUQPTTTFDVSJUZPQFOXBMMPSHXJLJNBJMJOHMJTUTEJTUSPT'JOBMMZOPUFUIBUOPUBMMTFDVSJUZJTTVFTBSFOPUJFEUPVTEJSFDUMZTPNFDPNFGSPNUIJSEQBSUJFTTVDIBTDPNQBOJFTUIBUQBZGPSWVMOFSBCJMJUJFTTPNFDPNFGSPNDPVOUSZ$&35T5IFTFJOUFSNFEJBSJFTPSUIFSFTFBSDIFSTUIFNTFMWFTNBZGPMMPXBEJFSFOUTUZMFPGOPUJDBUJPO5IJTJTXJUIJOUIFJSSJHIUTBOEPVUTJEFPGUIFDPOUSPMPGUIF0QFO44-UFBN$&350QFO44-
43