ASA-2019-00265 – HAProxy: Security issue in the TLS ticket key rotation


Allele Security Alert

ASA-2019-00265

Identifier(s)

ASA-2019-00265, CVE-2019-11323

Title

Security issue in the TLS ticket key rotation

Vendor(s)

HAProxy Technologies

Product(s)

HAProxy

Affected version(s)

HAProxy versions since commit:

MINOR: ssl: add support of aes256 bits ticket keys on file and cli.
https://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547

Fixed version(s)

HAProxy versions 1.9.7 and later

Proof of concept

Unknown

Description

Whenever HAProxy was reloaded with rotated keys, the resumption would be broken for previous encryption key.

Technical details

Since commit 9e7547, which added support for 80 byte keys, the structure key_128 is defined as struct tls_sess_key_256 instead of struct tls_sess_key_128.

--- a/include/types/ssl_sock.h
+++ b/include/types/ssl_sock.h
@@ -63,7 +63,7 @@ struct tls_sess_key_256 {

union tls_sess_key{
unsigned char name[16];
- struct tls_sess_key_256 key_128;
+ struct tls_sess_key_128 key_128;
struct tls_sess_key_256 key_256;
} __attribute__((packed));

Then, whenever the structure key_128 is used, it will contain uninitialized values resulting in very predictable HMAC keys.

Credits

Nenad Merdanovic

Reference(s)

[ANNOUNCE] haproxy-1.9.7
https://www.mail-archive.com/haproxy@formilux.org/msg33410.html

BUG/MINOR: ssl: Fix 48 byte TLS ticket key rotation
https://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d

MINOR: ssl: add support of aes256 bits ticket keys on file and cli.
https://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547

CVE-2019-11323
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11323

CVE-2019-11323
https://nvd.nist.gov/vuln/detail/CVE-2019-11323

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 13, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.