[Japanese]

JVNDB-2020-018327

Malleability attack against executables encrypted by CBC mode with no integrity check

Overview

Researchers at NTT, University of Hyogo, and NEC have identified a security issue that leads to executing arbitrary code in executable files that are encrypted by CBC mode with no integrity check. This issue has been published in ACNS 2020
.
There is a risk that an encrypted executable file may be manipulated by an attacker without prior knowledge of plaintext or secret key, resulting in arbitrary code execution if the developer does not take measures against the attack.

Developers can refer to the "Solution" section for countermeasures.

Please refer to JVNTA#94494000 for more details.

This document was written by Rintaro Fujita (NTT), Takanori Isobe (University of Hyogo), Kazuhiko Minematsu (NEC), and JPCERT/CC.
CVSS Severity (What is CVSS?)

Affected Products

Encryption systems or software that use the following block cipher modes of operation with no integrity check may be affected.
  • CBC mode
  • CFB mode

(Multiple Venders)
  • (Multiple Products)

Impact

Although the attack can only be successful when an attacker successfully predicts the proper location to inject the attack code, and the probability of success is 2-10 to 2-18, an attacker can cause arbitrary code execution. This could lead to various malicious activities such as application execution and backdoor injection.
Solution

[Software developers should implement the following countermeasures:]

Use CBC mode with an integrity check by a message authentication code (MAC)

It is effective to implement an integrity check by using MAC.

MAC value T of (C || IV) can be derived as follows, where K' key is different from that used for encryption. The tuple (T, C || IV) should be kept as the ciphertext for validation.

T = MAC (K', C || IV)

** Note that CRYPTREC Ciphers List recommends CMAC and HMAC for MAC algorithms.

Before decrypting the data, you should compute T = MAC (K' || IV) again and confirm that the re-computed T matches the stored T. You should decrypt the data only when both T values are the same. If a cipher block C has been tampered with, the both T values will be different, and you can detect tampering and prevent the attack. Since the attacker does not know the value of K', they cannot compute the correct MAC value T = MAC (K', C' || IV) for tampered cipher block C'.

Use XTS mode

When you need to preserve the message length, you can use XTS mode instead of CBC.

[For application users, the following measures are recommended:]

Even if your application uses CBC mode without an integrity check, the application may let you change the encryption algorithm or modes of operation. In this case, you can select a mode other than CBC or CFB to avoid the attack.
Vendor Information

CWE (What is CWE?)

CVE (What is CVE?)

References

  1. JVN : JVNTA#94494000
  2. Related document : ACE in Chains: How Risky Is CBC Encryption of Binary Executable Files? | SpringerLink
  3. Related document : Cryptology ePrint Archive: Report 2020/1159 - ACE in Chains : How Risky is CBC Encryption of Binary Executable Files ?
Revision History

  • [2024/09/11]
      Web page was published

Date Public2020/11/25
Date First Published2024/09/11
Date Last Updated2024/09/11