Android app downgrading TLS protocol to SSL 3.0

1
votes

I performed vulnerability testing of some Android mobile applications I helped develop and I noticed some odd behavior. The applications used the default Android 5.0.2 cipher suite list that includes the TLS_FALLBACK_SCSV (0x5600) suite designed to prevent Poodle. See cipher suite list below:

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher Suite: Unknown (0x5600)

When I looked at the TLS request sequence in the network capture it occurs over SSL 3.0 even though SSL3 isn't supported in the cipher suite list.

This doesn't look like Poodle. What i found the most interesting is that the negotiated cipher suite (in the Sever Hello request) was TLS_RSA_WITH_AES_128_CBC_SHA.

Does this mean the encrypted session effectively took place using the SSL3_RSA_WITH_AES_128_CBC_SHA cipher suite? And it is vulnerable to the same SSL 3.0 CBC vulnerability used to recover plain-text data by Poodle?

1
androidsecurityssl
security.stackexchange.com is a better forum for these kind of questions. - Steffen Ullrich
Thanks Steffen - I will post it there. - Michael

1 Answers

2
votes

The cipher suite is different from the protocol version. There are two protocol versions: The handshake Protocol, and the Record Layer Protocol.

The handshake protocol is the protocol with which client and server exchange parameters needed for secure communication. The Record Protocol is the format of the SSL records they send back and forth between them (usually clients use the same version).

TLS_FALLBACK_SCSV is not designed to prevent POODLE, it is designed to help mitigate DOWNGRADE attacks.

When that suite is present in the list presented by the client, it signals the server to use only the Highest TLS version it supports, provided this TLS version is equal to, or lower than that specified by the client in it's Client Hello.

This means that:

  • a TLS1.1 Handshake which includes TLS_FALLBACK_SCSV to a server that supports TLS1.2 will fail.
  • a TLS1.2 Handshake which includes TLS_FALLBACK_SCSV to a server that supports only TLS1.1 will succeed (server will respond with TLS1.1 which is the highest it supports)

The SCSV in the name means "Signalling Cipher Suite Value" -- it is merely a signal and not an actual cipher suite.

I believe TLS1.0 is the minimum TLS version that can use this extension.

Reference: https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05