LUCKY13 is a timing attack that can be used against implementations of the TLS protocol using the cipher block chaining mode of operation. The vulnerability affects the TLS 1.1 and 1.2 specification as well of certain forms of earlier versions.

Security Assessment

Security Assessment Prevent SSL LUCKY13

 

CVSS Vector: AV:N/AC:H/AU:N/C:P/I:N/A:N

Vulnerability Information

LUCKY13 is a timing attack that can be used against implementations of the TLS protocol using the cipher block chaining mode of operation. The vulnerability affects the TLS 1.1 and 1.2 specification as well as certain forms of earlier versions. The attack allows a full plaintext recovery for OpenSSL. Therefore an attacker exploiting this vulnerability is able to read the plaintext of a TLS encrypted session. The attack is a more advanced padding oracle that exploits different calculation times depending on the plaintext being padded with one or two bytes or containing incorrect padding.

SSL LUCKY13 Diagram

 

Timing Attack results for long (red) and short (blue) fake padding (AlFardan & Paterson, 2013).

Under best circumstances, an attacker needs 2¹³ TLS sessions to recover one plaintext byte. The attacker needs to be close to the target (i.e. in the same network as the webserver) to reduce any noise and perform the timing attack. Therefore a successful attack relies on external attack conditions, it does not pose a significant threat to normal TLS usage. However, the attack has shown new flaws in the CBC ciphersuites. As there exist new and better ciphers, mitigation can be easily achieved.

Guides

Several countermeasures for the LUCKY13 attack exist. Most importantly (and easy to implement), no CBE ciphersuites should be used. Instead, use AEAD ciphersuites such as AES-GCM. The support for these ciphers was introduced in TLS 1.2. More information about the ciphers can be found in the article regarding Secure TLS Configuration. To prevent the LUCKY13 attack, use the following TLS configuration.

Apache

With apache, the SSL/TLS configuration is stored in /etc/apache2/mods-enabled/ssl.conf. If you use Let’s Encrypt, the configuration may reside in /etc/letsencrypt/options-ssl-apache.conf. To enable only ciphers with high encryption and recent protocols set:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off

Then reload the Apache server configuration.

Note, that this limits the cipher suites and protocol version to recent SSL/TLS versions which might exclude users with older browsers.

Nginx

For Nginx, update the configuration file which is usually located at /etc/nginx/nginx.conf, /etc/nginx/sited-enabled/yoursite.com (Ubuntu / Debian) or /etc/nginx/conf.d/nginx.conf (RHEL / CentOS). Add the following directive to the server section:

ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;

Then restart the Nginx server.

Note, that this limits the cipher suites and protocol version to recent SSL/TLS versions which might exclude users with older browsers.

Scan for free now