Adium

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#16550 closed defect (fixed)

BEAST SSL Mitigation in Mavericks causes SSL disconnects

Reported by: mlamb Owned by:
Milestone: Adium 1.5.10 Component: Plugin
Version: 1.5.9b3 Severity: normal
Keywords: cdsa SIPE Cc:
Patch Status: Accepted

Description

Summary

The BEAST SSL attack mitigations introduced in Mavericks (see http://threatpost.com/apple-turns-on-safari-beast-attack-mitigation-by-default-in-os-x-mavericks) causes SSL connections to buggy server implementations to disconnect:

15:38:16: (Libpurple: cdsa) receive failed (-9806): Connection reset by peer
15:38:16: (GLib): (15:38:16) cdsa: receive failed (-9806): Undefined error: 0

This is impacting some users of the SIPE plugin (https://sipe.sourceforge.net) due to Microsoft's SSL implementation.

Steps to reproduce

  1. Install Adium
  2. Install latest version of SIPE plugin (per SIPE site instructions)
  3. Connect to an OCS server with un-patched SSL implementation
  4. Attempt to send a message to a contact
  5. Adium disconnects (see Debug log with undefined cdsa error)

Expected results

I expected that Adium wouldn't disconnect.

Actual results

Adium disconnects with an undefined cdsa error

Regression

This only occurs with Adium running on Mavericks (10.9) due to the mitigations implemented in that OS version.

Notes

Apple introduced (also in Mavericks) an SSL Session Option that can be set on a per-session basis that disables or enables the mitigation. If set to disabled, this session option resolves the issue, so we just need to conditionally set that option on cdsa connections.

Stefan Becker (SIPE maintainer) and I have worked to create a patch for this (see attached).

Attachments (2)

BEASTMitigation.patch (1.5 KB) - added by mlamb 3 years ago.
Patch for BEAST mitigation
SIPE-Plugin-logs.zip (14.6 KB) - added by toonetown 3 years ago.
Logs for working (1.5.9) and broken (1.5.10b1) connection using sipe plugin

Download all attachments as: .zip

Change History (19)

Changed 3 years ago by mlamb

Patch for BEAST mitigation

comment:1 follow-up: Changed 3 years ago by sphynx

So what are the security implications of disabling this?

comment:2 in reply to: ↑ 1 ; follow-up: Changed 3 years ago by mlamb

Replying to sphynx:

So what are the security implications of disabling this?

Little to none.

The mitigated attack (BEAST) is specifically aimed towards injecting Javascript into browser via a highjacked SSL connection to do nastiness like stealing online banking cookie values to steal money.

Since Adium is making SSL connections for chat sessions, it's unclear if injecting data would be an effective attack. The attacker would have to understand the underlying chat protocol, and the damage would be limited to chat related functions.

The fall-back is to use TLS 1.0, and as far as I can tell Apple is not back-porting this to older OS releases, so anyone on 10.8 will continue to be vulnerable to this attack.

The current mitigation strategy has known inter-op issues, and the recommended course of action is to disable the 1/1-n split for those connections (since they'll be vulnerable either way).

comment:3 in reply to: ↑ 2 ; follow-up: Changed 3 years ago by sphynx

Replying to mlamb:

Replying to sphynx:

So what are the security implications of disabling this?

Little to none.

The mitigated attack (BEAST) is specifically aimed towards injecting Javascript into browser via a highjacked SSL connection to do nastiness like stealing online banking cookie values to steal money.

Since Adium is making SSL connections for chat sessions, it's unclear if injecting data would be an effective attack. The attacker would have to understand the underlying chat protocol, and the damage would be limited to chat related functions.

Sure, it may not be BEAST, but the core problem of predictable IVs could affect chat sessions. It's quite easy for an attacker to get a message to you, it's IM after all. All an attacker would need to do is to trick you into sending a packet starting with 16 chosen bytes. Granted, this would not be possible to do in any of the protocols I am familiar with, but I have not verified whether that holds for every protocol Adium supports.

Anyway, I overlooked that you made this optional for accounts and defaulting to off. As long as nobody asks me to turn it on for any of the official protocols, I'm fine with it. :)

comment:4 in reply to: ↑ 3 Changed 3 years ago by mlamb

Replying to sphynx:

Sure, it may not be BEAST, but the core problem of predictable IVs could affect chat sessions. It's quite easy for an attacker to get a message to you, it's IM after all. All an attacker would need to do is to trick you into sending a packet starting with 16 chosen bytes. Granted, this would not be possible to do in any of the protocols I am familiar with, but I have not verified whether that holds for every protocol Adium supports.

Agreed. I didn't do exhaustive research on the possibility to attack chat protocols with this... so it still could be possible.

Anyway, I overlooked that you made this optional for accounts and defaulting to off. As long as nobody asks me to turn it on for any of the official protocols, I'm fine with it. :)

Yes. I figured, the best way to get this accepted was to make it as generic and non-impactful as possible. :)

So, if you're ok with it... when can we expect it to be integrated with the repo?

comment:5 Changed 3 years ago by Thijs Alkemade <me@…>

  • Resolution set to fixed
  • Status changed from new to closed

(In 78db6a0ed1c7) Patch from mlamb: Add a way for protocols to disable 1/n-1 record splitting on TLS (which is used to counter the BEAST attack) for protocols that might want it.

(We have no intention of turning this on for any official protocol, but apparently the SIPE plugin needs it).

Fixes #16550

comment:6 Changed 3 years ago by sphynx

  • Milestone changed from Adium bugs to Adium 1.5.10
  • Patch Status changed from Initially Included to Accepted

As you can see, we plan to ship it with 1.5.10.

We usually credit third-party contributors with their full name (if they want to). Should we credit you, and if so, how? :)

comment:7 Changed 3 years ago by mlamb

Sure, you can credit me. My full name is Michael Lamb. :)

comment:8 Changed 3 years ago by Thijs Alkemade <me@…>

(In 0b04b07007a7) Credit Michael Lamb. Refs #16550

comment:9 Changed 3 years ago by mlamb

Apple has introduced a regression of this bug in Mountain Lion (10.8.5) with the latest Security Update (2014-001).

I've opened a new issue (https://trac.adium.im/ticket/16611) to add a fix.

comment:10 Changed 3 years ago by toonetown

When updating to 1.5.10 beta, my sipe plugin no longer works, I get a "Read Error". I am wondering if this patch causes the issue - since rolling back to 1.5.9 makes the plugin work again.

I am running Mavericks (10.9.2), with the latest version of the sipe adium plugin downloaded from http://sourceforge.net/projects/sipe/files/sipe/pidgin-sipe-1.18.0/

I am attaching the logs given in both the "working" and "broken" scenarios.

Changed 3 years ago by toonetown

Logs for working (1.5.9) and broken (1.5.10b1) connection using sipe plugin

comment:11 Changed 3 years ago by mlamb

Looking at the logs, I don't see the tell-tale entry that the BEAST mitigations were explicitly disabled... you would see a message like:

13:17:33: (GLib): (13:17:33) cdsa: Explicitly disabling SSL BEAST mitigation for broken server implementations
13:17:33: (Libpurple: cdsa) Explicitly disabling SSL BEAST mitigation for broken server implementations

Which indicates that the account preference wasn't set (and therefore the mitigations weren't disabled).

Try installing Adium 1.5.10 again....

  • Then delete/recreate your account and verify if you see the "Disable BEAST Mitigations" UI option (it's a check box) in the account preferences.
  • Or alternatively, edit the ~/Library/Application Support/Adium 2.0/Users/Default/libpurple/accounts.xml file and add:

<setting name='ssl_cdsa_beast_tls_workaround' type='bool'>1</setting> to the prpl-sipe account config.

comment:12 Changed 3 years ago by toonetown

That did the trick! Sorry, I missed that option the first time around

comment:13 Changed 3 years ago by Robby

mlamb, is there anything left we should worry about regarding this ticket before releasing 1.5.10? (We're aware of #16611.)

comment:14 Changed 3 years ago by mlamb

robby@, as far as I'm aware, other than #16611 there isn't anything blocking 1.5.10 from the SIPE perspective.

comment:15 Changed 3 years ago by Robby

Thanks!

comment:16 Changed 3 years ago by firesignth

Apple just releasted a patch for 10.8.5 which seems to have me getting the "Read Error" when using the SIPE plugin. I tried running the Mavericks patches but that doesn't work.

Hardware Overview:

Model Name: MacBook Air
Model Identifier: MacBookAir6,2
Processor Name: Intel Core i7
Processor Speed: 1.7 GHz
Number of Processors: 1
Total Number of Cores: 2
L2 Cache (per Core): 256 KB
L3 Cache: 4 MB
Memory: 8 GB
Boot ROM Version: MBA61.0099.B00
SMC Version (system): 2.13f5

System Software Overview:

System Version: OS X 10.8.5 (12F45)
Kernel Version: Darwin 12.5.0
Boot Volume: Macintosh HD
Boot Mode: Normal
Computer Name: USXXFINEBCM2
User Name: Fineberg, Charles (finebc)
Secure Virtual Memory: Enabled
Time since boot: 1 day4:40

Adium:

Version: 1.5.10b1r5848
Last Modified: 3/21/14 3:21 PM
Kind: Intel
64-Bit (Intel): Yes
App Store: No
Get Info String: 1.5.10b1r5848, Copyright © 2001-2014 The Adium Team
Location: /Applications/Adium.app

SIPEAdiumPlugin ("1.18.0")

comment:17 Changed 3 years ago by Robby

Note: See TracTickets for help on using tickets.