[exim-announce] Exim, TLS, "CRIME" attack

Top Page

Reply to this message
Author: Phil Pennock
Date:  
To: exim-announce
Subject: [exim-announce] Exim, TLS, "CRIME" attack
Short version: if you take authentication data in Exim, or supply it,
over TLS, with Exim built against OpenSSL, then you _might_ want to set:
openssl_options = +no_compression
in your Exim configuration file. This option value requires Exim 4.80
and a version of OpenSSL which defines SSL_OP_NO_COMPRESSION (1.0.0 or
greater). We might fix this for Exim 4.81 to not be necessary.

There's no adjustment possible with GnuTLS yet.

Longer version:

The "CRIME" attack uses TLS compression against itself: if someone can
control part of the content of a TLS session, they can iterate across
multiple sessions to try to make the packets smaller, by trying to
repeat content they don't have access to: your SMTP authentication data.

Any sort of attack would probably trip any ratelimits you might have
configured, and would be visible as many mails, and requires the
attacker to both be able to send mail from a client and witness the
packet sizes on the wire, and send the mail to someone who won't be
bothered by the sheer volume of such mails (eg, themselves).

Whether this affects your setup is not something I can decide for you.
Much of the analysis for the impact of BEAST applies here too:
https://lists.exim.org/lurker/message/20110924.025611.322d31d8.en.html
(Ignore the "CBC, OpenSSL & GnuTLS" section).

I do not intend to disable TLS compression by default in Exim. Most
uses of TLS remain unauthenticated (and, at this time, unverified).

The "openssl_options" option was added in Exim 4.73, using the list of
SSL_OP_* values available at the time. As part of the TLS overhaul in
Exim 4.80, the list of detected SSL_OP_* defines was updated to those
available in OpenSSL 1.0.1c. Before Exim 4.80, SSL_OP_NO_COMPRESSION
was not detected.

The fix to add "no_compression" -> SSL_OP_NO_COMPRESSION is a very easy
backport to apply, if this functionality is wanted in an earlier version
of Exim which is least version 4.73. It's three lines to add, then just
recompile.

In src/tls-openssl.c the exim_openssl_options[] array contains the list
of options, in alphabetical order. It needs to gain:
- ----------------------------8< cut here >8------------------------------
#ifdef SSL_OP_NO_COMPRESSION
{ US"no_compression", SSL_OP_NO_COMPRESSION },
#endif
- ----------------------------8< cut here >8------------------------------
and this needs OpenSSL 1.0.0 or greater; the 0.9.<...> series of
releases does not expose this option. (The change is safe to make to
Exim regardless, because of the #ifdef guard.)

For GnuTLS, there is no available control for Exim to adjust, so there
is no defence available for Exim built against GnuTLS. Should this
situation change, I expect to add support to Exim for using that
control.

I will examine the feasibility of avoiding this issue with Exim 4.81 on
OpenSSL by forcing a BIO_flush() after SMTP AUTH. At present, although
not guaranteed, this forces a compression block end in OpenSSL, which
changes the compression dictionary and so makes this attack impossible.

- -Phil