dcid
commented
8 years ago That's not fully correct.
1- We don't use an IV, but the first bytes from the message are random. That has the same effect as using an IV.
rand1 = (u_int16_t)random();
..
snprintf(_tmpmsg, OS_MAXSTR,"%05hu%010u:%04hu:%s",
rand1,2- We have message counters, which also prevent someone from guessing if the messages are similar. That + the random initializer, gives enough variability per message.
3- MD5 is used to verify the integrity of the message, not for authentication.
I agree that it is probably time to change to AES (code was written 15 years ago when blowfish was cool), but can't see any practical attacks coming out of it.
Thanks,
Daniel B. Cid (yes, I wrote that code :) )
gmichelo
davidszabo26
hex2a
the6thBook
cpu
NCC Group Security Advisory - 2015-07-OSSEC
https://www.nccgroup.trust
OSSEC remote protocol uses weak cryptography
Vendor: Trend Micro Vendor URL: http://www.ossec.net/ Versions affected: All versions up to and including 2.8 Systems Affected: The ossec-remoted component in agent-server configurations Severity: Low (Confidentiality bypasses) Author: NCC Group
Details:
The OSSEC HIDS can be configured to run in an agent-server architecture, where agents forward log messages to a server via various protocols, including the ossec-remoted protocol, which uses encryption and runs over UDP port 514. The remoted server decrypts the log with a client-specific key using Blowfish in CBC mode1. However, the protocol uses a static initialization vector (IV)2 to encrypt and decrypt all messages.
Because the IV is reused for each message, an attacker can determine when message content is similar, and therefore discern what kind of log messages are being forwarded.
In addition, it does not authenticate the message; while it uses an MD5 hash as an internal checksum3, this is not a strong authenticator. The lack of authentication may allow message tampering, due to CBC mode encryption malleability.
Due to the use of a checksum and compression, message tampering would be difficult; however, the use of zlib compression combined with partial message disclosure (from the use of CBC mode) could lead to a decryption oracle via compression errors or timing leakage.
Fix Information:
When using block cipher encryption modes that use an IV, generate a unique and securely random IV for each message and transmit it along with the ciphertext.
The use of CBC mode Blowfish should be replaced with an authenticated encryption (AE) cipher, such as (Galois/Counter Mode) GCM. For more information see the following whitepaper: https://www.nccgroup.trust/globalassets/newsroom/us/blog/documents/2013/introduction_to_authenticated_encryption.pdf
Replace the use of Blowfish with AES, which provides more robust security and benefits from hardware acceleration on some platforms.
Vendor Communication:
2015-06-19 - Primary OSSEC committer notified via email 2015-06-29 - Follow-up email after no response 2015-06-29 - Receipt confirmed 2015-07-29 - Follow-up email 2015-08-24 - Follow-up email, request preparing issue for public release 2015-08-24 - Recieved response, included other project members to chain 2015-10-27 - Indicate to OSSEC we will be preparing issue for public release 2015-11-25 - Recieve response indicating no fix is currently in the works. OSSEC agrees issue should not be withheld from public. 2015-12-08 - Deliver unredacted report to FPF for publication 2015-12-11 - Public release
Thanks to:
Tim Newsham, Raphael Salas, Sean Devlin, Tom Ritter
About NCC Group:
NCC Group is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco, Sunnyvale, Seattle, Austin, Chicago, and New York.
https://www.nccgroup.trust/us/