Socat Weak Crypto Draws Suspicions Of a Backdoor (threatpost.com)

← Back to Stories (view on slashdot.org)

Socat Weak Crypto Draws Suspicions Of a Backdoor (threatpost.com)

Posted by timothy on Tuesday February 2, 2016 @09:24AM from the giving-away-our-best-tricks dept.

msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. "The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p," the advisory said. "Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out." Socat said it has generated a new prime that is 2048 bits long; versions 1.7.3.0 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.

50 comments

Min score:

Reason:

Sort:

There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:30 · Score: 2, Insightful

Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
1. Re:There seem to be a lot of these backdoors by gstoddart · 2016-02-02 09:35 · Score: 4, Insightful
  
  Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
  In fairness, intentionally weakening crypto requires as much understanding of it as doing it right.
  Screwing it up, however, can be done by any moron.
  Which happened here? Who the hell knows.
  
  --
  Lost at C:>. Found at C.
2. Re: There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:36 · Score: 0
  
  I thought it was called a backhole?
3. Re:There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:39 · Score: 2, Insightful
  
  > Which happened here? Who the hell knows.
  Oh please.
  You're probably trying to do the "it's just incompetence, not malice" thing.
  But after seeing this pattern over and over.. no, it reeks of manipulation.
  Any advanced malice is indistinguishable from incompetence.
4. Re: There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:50 · Score: 1
  
  I thought it was called a backhole?
  Just like your mother, Trebek.
5. Re:There seem to be a lot of these backdoors by mugurel · 2016-02-02 09:52 · Score: 2
  
  Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
  speaking of which, did you ever check your tin-foil hat for backdoors?
6. Re:There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:56 · Score: 0
  
  This was intentional.
7. Re:There seem to be a lot of these backdoors by arglebargle_xiv · 2016-02-02 12:19 · Score: 3, Interesting
  
  Given that it also used 512-bit primes, which are toy keys that were weak twenty years ago, it's more likely a screwup. Seeing messed-up crypto written by people whose crypto knowledge extends to reading the Wikipedia page on RSA and perhaps one or two chapters of Applied Cryptography is pretty much par for the course.
  From a very brief Google of socat howtos, I couldn't see much about enabling or applying checking of certs, which means it probably doesn't do that either. In addition the advisory is pretty confusing, what does "OpenSSL address implementation" mean? Since the server supplies the DH values and OpenSSL itself has known-good DH values, why is there some other value hardcoded into socat?
8. Re: There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 13:02 · Score: 0
  
  You bet it was, it's socat.
9. Re:There seem to be a lot of these backdoors by techno-vampire · 2016-02-02 16:02 · Score: 1
  
  In fairness, intentionally weakening crypto requires as much understanding of it as doing it right.
  
  In this case, all it would have needed is understanding that it's important that the numbers used to generate the keys are prime and that substituting a composite number would make the keys easier to find. I'm not claiming that this is what happened, but it's not something that only a cryptography specialist could have come up with.
  
  --
  Good, inexpensive web hosting
10. Re:There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 21:17 · Score: 0
  
  Not really. Reading the Wikipedia page on RSA and two chapters of Applied Cryptography would more than suffice to 100% exclude the use of 512-bit primes.
This cannot happen accidentally by JoshuaZ · 2016-02-02 09:33 · Score: 5, Insightful

This cannot happen accidentally. We have for example versions of the Miller-Rabin test https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test which easily test primality if you believe the Riemann Hypothesis and other versions which unconditionally give such a high probability that one is more likely to have had a cosmic ray wreck your computing results than for the test to be erroneous. You can use for example this Javascript http://www.javascripter.net/math/primes/millerrabinprimalitytest.htm. There's no obvious way one would come up with a composite number unless one was deliberately trying. Hopefully there's enough of a record to note when this fake prime was put in.
1. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-02 09:37 · Score: 5, Funny
  
  This evening I'll reflect on your rant while performing the Miller-Coors test
2. Re:This cannot happen accidentally by JoshuaZ · 2016-02-02 09:43 · Score: 5, Informative
  
  Followup: acording to this thread https://news.ycombinator.com/item?id=11014175 the number in question fails at even being a pseudoprime for small bases, which means that even the most simple checks were not done. That thread also mentions the individual responsible for giving the "prime"- I'm not sure why he's not being grilled pretty heavily right now.
3. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-02 09:43 · Score: 0
  
  Please let us know your results
4. Re:This cannot happen accidentally by Pseudonym · 2016-02-02 10:48 · Score: 3, Informative
  
  It easily can happen accidentally. The probability of a bug in your implementation of the Miller-Rabin test (for a general "you") is quite high.
  Now look at the history here. The patch was submitted by someone who admitted "I don't have enough knowledge to implement the merge", and was accepted without any serious review. Looking at my own history of screwing up commits, it's fairly easy to see how this might have happened.
  I'm just lucky that none of mine had implications that serious. There but for the grace of His Noodly Appendage...
  
  --
  sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
5. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-02 10:50 · Score: 0
  
  Megaswill continuous-fermented lagers are not going to give you good results. At least try a real ale?
6. Re:This cannot happen accidentally by Pseudonym · 2016-02-02 10:50 · Score: 1
  
  I'm not sure why he's not being grilled pretty heavily right now.
  Because 99% of the time, the process is to blame, not the person.
  
  --
  sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
7. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-02 11:19 · Score: 0
  
  >This cannot happen accidentally
  You're neglecting incompetence.
  Remember, every time you say "no one could possibly be that dumb", the universe is inclined to disprove you.
8. Re:This cannot happen accidentally by Impy+the+Impiuos+Imp · 2016-02-02 11:33 · Score: 1
  
  Do we know the process that generated this number, and how it didn't include apparently minimal verification?
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
9. Re:This cannot happen accidentally by Gravis+Zero · 2016-02-02 12:12 · Score: 1
  
  A note in the commit indicates that Socat was not working in FIPS mode because it requires a 1024 Diffie-Hellman prime, and added that a developer named Zhiang Wang provided a patch with the new prime. The poster revealed that Wang works at Oracle and contributes to Socat.
  accidental or malicious, Mr. Wang is about to have a very bad day.
  
  --
  Anons need not reply. Questions end with a question mark.
10. Re:This cannot happen accidentally by sumdumass · 2016-02-02 12:13 · Score: 1
  
  While your at it, check to see if the numbers within the number can actually make a prime. What I mean is 457 is a prime but 475 isn't. So could it be a matter of a digit being transposed?
11. Re:This cannot happen accidentally by arglebargle_xiv · 2016-02-02 12:25 · Score: 1
  
  Yes it can. I get asked to do audits of crypto code and see stuff like this all over the place. You mention things like the Miller-Rabin test (I kinda like Frobenius myself) and the extended Riemann Hypothesis when the guy who wrote the code/made the change probably didn't get any further than using Google and copying the result from the first hit he found on Stackexchange, which copied it from somewhere else and got the endianness wrong or something (hmm, must find a machine with Mathematica and feed it in byte-reversed to see what drops out).
12. Re:This cannot happen accidentally by Dwedit · 2016-02-02 13:03 · Score: 1
  
  I was once in computer security class, and my miller-rabin primality test ended up calling an even number prime. I can totally see these failures happening.
13. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-02 13:29 · Score: 0
  
  I was once in computer security class, and my miller-rabin primality test ended up calling an even number prime. I can totally see these failures happening.
  2 is a prime number though :)
14. Re:This cannot happen accidentally by germansausage · 2016-02-02 16:49 · Score: 1
  
  What sort of evil hold do they have on you that they can force you to drink Miller-Coors.
15. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-03 02:18 · Score: 0
  
  Some outsider submits a new "prime" to an encryption project and none of the (supposedly cryptology-savvy) developers checks it? Sorry, I cannot see this kind of failure happening unless everyone in that project is extremely negligent or malicious.
16. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-03 06:55 · Score: 0
  
  Just a wild guess, but I very much suspect that the guy used (either the command line tool or the programmatic equivalent of) "openssl genrsa 1024" instead of "openssl dhparam 1024" to generate this value.
  In other words the value is a public RSA modulus (by definition not a prime!) rather than a DH safe prime.
  Easy to get wrong if you're not paying attention or are unfamiliar with the background or the openssl toolset. I can quite believe it's pure accident (though it really should have been verified before committing it.)
  (On the bright side genrsa runs *much* faster than dhparam for equivalent output sizes. Just unfortunate that it pretty much destroys the security properties of a well generated DH parameter set.)
Technical discussion by bill_mcgonigle · 2016-02-02 09:49 · Score: 2

link to the technical discussion from the article (which propeller heads may safely skip).

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
1. Re: Technical discussion by Anonymous Coward · 2016-02-02 13:15 · Score: 0
  
  While reading the discussion you linked, I found myself wondering if this is why the export restrictions were lifted.
I've gone pure OpenBSD. It's the only safe way. by Anonymous Coward · 2016-02-02 09:52 · Score: 0

Some time ago I decided to go purely OpenBSD. I do my best to only use software they've provided, except when there's absolutely no other option.
They might not be perfect, but the OpenBSD devs have repeatedly shown that they take security very seriously, and their security practices are much beyond those of other projects' practices.
I can't imagine how anybody who cares about security would run Linux these days. I don't think that systemd, for example, has undergone a security audit anywhere near as stringent as that which the OpenBSD devs subject their code to.
Heck, the OpenBSD devs will even fork third party software and fix and maintain it themselves if the original authors aren't capable of meeting the extremely stringent standards of the OpenBSD devs.
All other projects should strive to be like OpenBSD when it comes to security. They're the leaders who we all need to look up to.
1. Re:I've gone pure OpenBSD. It's the only safe way. by Anonymous Coward · 2016-02-02 10:33 · Score: 0
  
  I don't think that systemd, for example, has undergone a security audit anywhere near as stringent as that which the OpenBSD devs subject their code to.
  Comparing the security conscienceness of Pottering to the OpenBSD guys? Understatement of the century!
The "experts" tell us not to roll our own crypto by Anonymous Coward · 2016-02-02 10:00 · Score: 0, Troll

So the crypto "experts" repeatedly tell us not to roll our own crypto. So we use theirs instead. Then we find out that it's buggy as all fuck. Just look at OpenSSL, and the many security flaws it has been found to have. Now there's this flaw with this utility, plus the many other incidents lately.
Why the hell should we trust these people any longer? It's not like these bugs are obscure or justifiable in some way. I mean, these supposed "experts" are fucking up the most basic stuff! These are mistakes that we mere mortals would probably not have made had we, gasp, rolled our own crypto.
The lesson we should all learn from this is that when self-proclaimed "experts" tell you to not do something on our own, we should be extra cautious using whatever they're pushing us to use instead. It could very well be much, much worse than anything we'd create on our own.
The article doesn't mention by superwiz · 2016-02-02 10:02 · Score: 1

what is the length of the smallest prime factor of this "prime". the length of the smallest prime factor would determine the actual strength of the encryption.

--
Any guest worker system is indistinguishable from indentured servitude.
1. Re:The article doesn't mention by vux984 · 2016-02-02 10:20 · Score: 1
  
  Well, we can presume that at BEST its 512. (As two 512 bit numbers multiplied together is 1024 bits.)
2. Re:The article doesn't mention by superwiz · 2016-02-02 10:36 · Score: 1
  
  ageed. but it would just be nice if they mentioned what it was.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
3. Re:The article doesn't mention by xorbe · 2016-02-02 10:37 · Score: 1
  
  257 and 13597 were immediately found, per the thread
4. Re:The article doesn't mention by superwiz · 2016-02-02 10:49 · Score: 2
  
  eewwh... 271 is a factor:
  https://news.ycombinator.com/i...
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
Let's use the proper terminology by pjcreath · 2016-02-02 10:20 · Score: 3, Informative

The correct term for this is backhole.
1. Re:Let's use the proper terminology by Anonymous Coward · 2016-02-02 10:34 · Score: 0
  
  lol
Re:Typical open source problems by Anonymous Coward · 2016-02-02 10:25 · Score: 0

Not terribly bright, are ye? Failing to choose a prime number where a prime number is required is language-independent.
They can neither confirm nor deny by WillAffleckUW · 2016-02-02 10:39 · Score: 2

They can neither confirm nor deny, nor admit electronically or in print, that they have been backdoored.
Even if it's obvious (and a requirement) that they are.

--
-- Tigger warning: This post may contain tiggers! --
Proof NetCat Is Superior by Anonymous Coward · 2016-02-02 11:15 · Score: 0

This proves that NetCat(nc) is superior to socat. NetCat has no such vulnerability.
Suck it socat!
Oh, so now it's back to "backdoored"? by wonkey_monkey · 2016-02-02 11:25 · Score: 1

Socat Weak Crypto Draws Suspicions Of a Backdoor
I thought we were calling them "backholes" now?

--
systemd is Roko's Basilisk.
1. Re:Oh, so now it's back to "backdoored"? by Anonymous Coward · 2016-02-03 04:27 · Score: 0
  
  Socat Weak Crypto Draws Suspicions Of a Backdoor
  I thought we were calling them "backholes" now?
  If you're into that kind of thing... We are not judging you.
2. Re:Oh, so now it's back to "backdoored"? by Anonymous Coward · 2016-02-03 10:07 · Score: 0
  
  It's important to stay sex-positive.
  What I'm trying to figure out is how to "encrypt my business" and what sort of itch is that meant to scratch??
So what's the problem here? by Anonymous Coward · 2016-02-02 13:27 · Score: 0

FFS it's open source. Modify the code so that shit is more secure, and revoke privs to the retard responsible for putting something like that there in the first place, until he has demonstrably removed his head from his ass (and even then, leave the crypto to the big boys, cause you're way outta your depth son)
...and now to fire up google, so I can find out what the fuck socat even is.
Devuan is insecure aswell. by Anonymous Coward · 2016-02-02 23:08 · Score: 0

Devuan (the fork of debian) sure doesn't take security seriously (neither does debian).
They pooh poohd a request to bring things like the bastille-linux hardening script back in (would work fine for Devuan as no systemd), saying a REAL system admin does all the 100 config things HIMSELF!
(Bastille goes back to the early 2000s, they're just trying to protect their jobs, fat old blowhard fucks)
Then they chewed out someone for being sexist.
(SJW pieces of shit too :( )