-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Advisory Advisory: Multiple Security Issues in Wippien Release Date: February 4th, 2010 Last Updated: February 4th, 2010 Author: Michael Rossberg [michael dot rossberg at tu-ilmenau dot de] Application: Wippien (for Windows and Linux) MiniVPN Severity: Flawed key negotiation protocol allows for easy man-in-the-middle attacks Predictable key materials Risk: Critical Vendor Status: Contacted References: http://wcms1.rz.tu-ilmenau.de/fakia/fileadmin/template/startIA/telematik/Mitarbeiter/rossberg/wippien-advisory.txt SUMMARY Wippien is a software that can automatically establish a VPN between jabber contacts. In order to derive a session key for the encryption routines Wippien uses a cryptographic key exchange, which is in the open source part of the software. As we analyzed some of its components, it emerged that the RSA fingerprints are not validated and the freshness of the exchange is not assured. Each of both issues allows simple man-in-the-middle attacks. The Windows version of Wippien and MiniVPN use an insecure random number generator to derive key material. The Linux version of Wippien does not initialize keying material. This results in uninitialized memory being used to derive the symmetric encryption key. AFFECTED SOFTWARE VERSIONS All recent versions of Wippen for Windows and Linux, including 2.3.2, are affected. SEVERITY RATING Being a VPN component, confidentiality is the essential property to be assured and given the simplicity of potential attacks, the potential risk is high. DETAILS 1.) Wippien creates a new private/public key pair with every startup. This and the fact that the fingerprint of the peers public key is not shown to the user, makes it impossible for users to even become aware of man-in-the- middle attacks. 2.) During the key exchange, Wippien peers exchange nonces that are protected by RSA PKCS#1. These nonces are later on used to derive a session key by an XOR operation: // and XOR with ours for (int i = 0; i < 16; i++) user->m_SharedKey[i] = user->m_MyKey[i] ^ dst[i + 24]; Thus, if the key exchange is simply replayed to the connecting victim, it will simply XOR its own key part with itself, resulting in a zero key and an attacker without valid key is able to obtain a correct key. 3.) The Windows version of Wippien and MiniVPN will initialize the key by using rand(): for (int i = 0; i < 16; i++) m_MyKey[i] = rand(); This is neither a secure source for keying material, nor is srand() called to supply a seed. This makes key generation highly predictable. 4.) The Linux version works similar: for (i=0;i<16;i++) u->SharedKey[i] = u->MyKey[i] ^ dst[i+24]; Only that MyKey is never initialized, and thus random value will be used and the derived key is highly insecure. DISCLOSURE TIMELINE 28th January, 2010 - Contact with Wippien developer by email RECOMMENDATION We recommend to migrate from Wippien or use an additional form of cryptographic protection, e.g., SSH and SSL, immediately. GPG KEY pub 4096R/B105F0C3 Michael Rossberg Key fingerprint = 8448 88F0 C803 14FD 01AF A819 D2BF 817D B105 F0C3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQIVAwUBS2q6vNK/gX2xBfDDAQLSZBAAnnQWBct0Liyp9QoOmAvpQrK8QiLhnlDT GAepuXzBxPON1lh2og4ZObRG19Hy95TkKbt+JEPe0ZQkKvLLyjVcTcNfzaTlQOdD SGyedlj1+Y5EH5CH08Zno+EGPBITQgIq+phSeuBijXL+q1rfISchjWGq/xrAHtvE K3laKbhNogh0jib83F1xOrlPUlqR5OsejdqF/+uiDuwseRhWpy0HEF++ysXvLAgp QfYrGqBn0FrQgOfLgHuysSDvqJFXzmDaS9T/HtxCmrT1OnbeD9tv0hihCk9RnKux OrLvAZ57YP6u8IDRyGxG3CAG54A+GPN8OBC4t/ShujOd9isqGajp/PthE7l1pl+p L1PaYxDJ/esDmM+AepMN7/XjKqh6ol3DLnIBMX76DBod/aynlln7bAuWHhQ80gyQ zU+pgKg1N0V5uw8qhzeoEWKdXjUQY4QQovOrnQ4rqMO0Hhp4Kt4faMD1YVSLeOGJ MXDAJCZBu4PngZeUggE8tYrLFX+ulOcyUG44juRZ+chJc7FfQwKbD73u02NLWK4H Gw/aWcJvG9fhsZ/nSdIY+Qu5DInw0E0gECpBJPCQVI59xd1uMh79Vs25zPNfe7PI QKWfM/iuCrL2tAXKc+1Xnh4hZoXN7k+qUvYFfAHZXTZsZJst4x0SjOthiGRu4oRV 7dUOELYP+Vo= =meNb -----END PGP SIGNATURE-----