We live in interesting times
There is a Chinese proverb/curse saying: May you live in interesting times?
Why is this intended as a curse? Maybe living in interesting times means living in challenging times.
The security environment is so dynamic these days, it is certainly interesting to see how things change all the time, vulnerabilities are found almost every day, exploits are being developed at a whopping pace and even for professionals, just keeping up with it all is very challenging.
In the last two weeks there have been quite a few major security events/discoveries
Starting with KRACK ATTACK (announced 18th of Oct), which our blog already covered https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/ but there are new things around the corner.
New VPN/crypto attack – DUNK (Don’t Use Hard-coded Keys) attack
With KRACK attack still going on strong there is a new one that involves breaking cryptography. This one however does not take advantage of the control messages in WPA-2 to allow sniffing of user data but exploits weak software implementation for the ANSI X9.31 RNG. Until quite recently the ANSI X9.31 RNG was used to generate cryptographic keys that secure VPN connections and web browsing sessions.
A team of security researchers from the University of Pennsylvania and John Hopkins University found a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The DUHK attack allows “attackers to recover secret encryption keys from vulnerable implementations to decrypt and read communications passing over VPN connections or encrypted web sessions”.
The attack has been confirmed to work on Fortinet devices running FortiOS 4.3.0 to FortiOS 4.3.18. The necessary requirement (all of them need to be met) for a device to be vulnerable to the DUHK are:
Also, the attacker needs to be able to observe passively the encrypted handshake traffic.
The X9.31 was widely deployed in the past and was even part of the FIPS approved random number generation algorithms set until January 2016. There is a big chance a lot of VPN implementations are still using it.
There is a CVE for this vulnerability: CVE-2016-8492:
Here are the general recommendations:
Related articles: