We have just completed our analysis on the impact of the FREAK vulnerability (CVE-2015-0204) on our NET-OS product. The vulnerability that has been listed in the notice, deal with the ability of a man in the middle (MitM) attacker being able to inject messages into the encrypted stream so that the data can be recovered. The current cost of conducting this attack, is approx. $100 US dollars, and 11 hours of time on an Amazon EC2 compute node for each decrypted stream.
This attack can happen when a vulnerable client and server both support EXPORT cipher lists. When these are supported, an attacker can conduct an RSA to an EXPORT_RSA downgrade attack while offering a weak ephemeral RSA key in a noncompliant role. The CVE-2015-0204 only applies to client code based on OpenSSL.
It is Digi’s position that to mitigate this risk, we suggest that all of our NET-OS customers re-compile their application code to disable ALL EXPORT ciphers for their server code. We also suggest that this be done for client side code as well.
Digi’s current evaluation of the threat to the NETOS system is considered LOW at this time. This is due to the following facts:
- This attack would have to be done very quickly, as many connections do not stay around for more than 12+ hours, which at the time (per the references below) it would take to crack this key.
- From here on out, the attacker sees plain text and can inject anything it wants.
Jun 24, 2019