2022-07-13 Recent News

6 min read CTF Applied Security

OpenSSL Security Advisory [5 July 2022]

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.

Part of the build process of OpenSSL is testing. All builds should be tested before being used in a production environment and the notice points out that by properly testing, this case should be detected. This seems like a scary headline, but in reality isn't a big deal as long as builds are tested before deployment.

Updating from OpenSSL 3.0.4 to 3.0.5 will also fix this issue.

Sources

https://www.openssl.org/news/secadv/20220705.txt

OpenSSL Releases Patch for High-Severity Bug that Could Lead to RCE Attacks
A security patch has been released for #OpenSSL to fix a high-severity bug (CVE-2022-2274) in the cryptographic library that could lead to remote code
The Hacker NewsRavie Lakshmanan
https://thehackernews.com/2022/07/openssl-releases-patch-for-high.html

Chrome

This patch contains important fixes to CVE-2022-2294, CVE-2022-2295, and CVE-2022-2296.

CVE-2022-2294

This is a high severity vulnerability that uses a buffer overflow on the heap to exploit WebRTC. Payloads exploiting this vulnerability have been detected in the wild already, which makes this an important patch to install. Google also stated that it won't provide detailed information until "a majority of users are updated with a fix" which sounds like an ethical way to go about vulnerability disclosure to me.

This vulnerability was reported by "Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01".

CVE-2022-2295

This vulnerabillity is a type confusion in V8 (big surprise). Again no details are released yet, but it has a high severity.

This vulnerability was reported by "avaue and Buff3tts at S.S.L. on 2022-06-16".

CVE 2022-2296

This CVE is also a high severity vulnerability that is a use after free in Chrome's OS Shell. It was reported by "Khalil Zhani on 2022-05-19".

Sources

Stable Channel Update for Desktop
The Stable channel has been updated to 103.0.5060.114 for Windows. which will roll out over the coming days/weeks. A full list of changes i...
Chrome ReleasesGoogle
https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html
Google patches new Chrome zero-day flaw exploited in attacks
Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022.
BleepingComputerSergiu Gatlan
https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/

Quantum Secure Algorithms

This is an exciting one for me despite it being about cryptography. I've been very interested in quantum computing for a while and how they'll improve the current world of computers. I'm mostly interested in quantum states being able to represent a large amount of data / quantum teleportation networks allowing quantum information to be transported using entanglement, but having encryption that can't be broken by quantum computers also holds heightened importance to me.

According to estimates in "Quantum Computing: Progress and Prospects National Academies of Sciences, Engineering, and Medicine. 2019. Quantum Computing: Progress and Prospects. Washington, DC: The National Academies Press. https://doi.org/10.17226/25196." (page 98) RSA (up to 4096 bits) will be solvable within 10 days, and ECC Discrete-log algorithms (up to 521 bits) will be solvable within 3 days (accessed from https://nap.nationalacademies.org/read/25196/chapter/6#98). Both of these would be implementing Shor's quantum algorithm which runs in polynomial time which is completely wild.

CRYSTALS-Kyber

This algorithm is a key encapsulation method intended to replace general encryption algorithms. For example as an algorithm for accessing a secure (HTTPS) webpage. The recommended version for pre-quantum applications is a hybrid mode using Diffie-Hellman for key exchange and Kyber-768.

This algorithm uses the difficulty of the "learning with errors" problem over module lattices.

CRYSTALS-Dilithium

This algorithm is for creating secure digital signatures. Digital signatures are used to verify that someone in the digital space is who they claim to be.

This algorithm also uses difficulty of solving lattice problems to get it's security.

FALCON

Fast-Fourier Lattice-based Compact Signatures Over NTRU. Before going further, I want to complain that there is no "S" in FALCON, AND they use a nested acronymn in their acronym. NTRU stands for Number Theorists 'R' Us or, Number Theory Research Unit and is an open source public-key cryptosystem. NTRU uses lattice problems just like Kyber and Dilithium.

FALCON is used for cryptographic (digial) signatures. The resulting signatures from this algorithm are shorter than Dilithium's.

SPHINCS+

This algorithm is based off of the SPHINCS algorithm. A breakdown of changes can be found on Andreas Hülsing's blog. Essentially the algorithm is a "stateless hash-based signature scheme" aka another quantum secure digital signature algorithm. This algorithm according to NIST is "larger and slower" than the other three algorithms, but it uses hash functions for security instead of lattices.

Some of my crypto n00b thoughts:

  1. Can module lattice "rainbow tables" exist, and what would they be called? "Rainbow lattices"?
  2. Going through a couple of the algorithm proposals, they used CPU cycles to determine the time / complexity of the algorithm. Would this be the same number of cycles for all processors with the same instruction set and would the cycle count change dramatically from AMD to Intel processors / versions of processor?

Sources

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
Federal agency reveals the first group of winners from its six-year competition.
NIST
https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare
Decision will be binding on many companies and change the way they protect your data.
Ars TechnicaDan Goodin
https://arstechnica.com/information-technology/2022/07/nist-selects-quantum-proof-algorithms-to-head-off-the-coming-cryptopocalypse/
NIST Identifies 4 Quantum-Resistant Encryption Algorithms
Federal researchers are one step closer to protecting U.S. data from quantum computing decryption capabilities.
NextgovAlexandra Kelley
https://www.nextgov.com/cybersecurity/2022/07/nist-identifies-four-quantum-resistant-encryption-algorithms/368954/
Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats | CISA
The National Institute of Standards and Technology (NIST) has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.
Cybersecurity and Infrastructure Security Agency CISA
https://www.cisa.gov/uscert/ncas/current-activity/2022/07/05/prepare-new-cryptographic-standard-protect-against-future-quantum
Kyber
https://pq-crystals.org/kyber/
Dilithium
https://pq-crystals.org/dilithium/
Falcon
https://falcon-sign.info/
SPHINCS+
https://sphincs.org/
PHSC138

PHSC138

Website More posts
The World Wide Web
Previous Post
Next Post

You might also like...