Skip to main content

Is SecureAuth IdP Impacted by the "FREAK" Vulnerability (CVE-2015-1637)?

Introduction

Microsoft® has released Security Advisory 3046015 which describes the exposure of Microsoft products to the F actoring R SA E xport K eys (FREAK) vulnerability. SecureAuth IdP Appliances leverage the Windows Server® platform and SecureAuth has released this technical note to communicate with customers any exposure our products might have to the FREAK vulnerability.

Impact on SecureAuth IdP

At this time, SecureAuth IdP customers are not impacted by the FREAK vulnerability. Microsoft does not enable the export ciphers below on Windows Server 2008 R2, 2012, and 2012 R2 by default. With these ciphers inactive the exploit cannot be used by a bad actor.

  • TLS_RSA_EXPORT_WITH_RC4_40_MD5

  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

Warning

For customers using SecureAuth IdP Appliances with theWindows Server 2003operating system, SecureAuth's default OS hardening process prevents the vulnerability from being exploited.

SecureAuth strongly recommends upgrading appliances to the latest version of the product and Microsoft Windows Server version. The SecureAuth IdP upgrade is free to customers with a current support contract. Contact support.secureauth.com to speak with a support representative about the upgrade process.

Discussion

What is the scope of this document?

The purpose of this document is to notify customers that SecureAuth is aware of a security vulnerability affecting the Schannel mechanism of Windows Server. The vulnerability could allow a Man-in-the-middle attack which forces the downgrading of the cipher used in an SSL/TLS connection on a Windows server to a weaker cipher.

How could an attacker exploit the vulnerability?

In a Man-in-the-middle attack, the attacker could downgrade an encrypted SSL/TLS session and force client systems to use the weaker RSA export cipher. The attacker could then intercept and decrypt this traffic.

What is the FREAK vulnerability?

The flaw is due to a former U.S. government policy which restricted export of strong encryption and required that weaker "export-grade" products be shipped to customers in other countries. These restrictions were eventually lifted in the latter half of the 1990s, however the weaker encryption is still present in some software. Researchers recently discovered they could force browsers to use the weaker encryption and exploit its weakness. A bad actor can launch a Man-in-the-middle attack and decrypt the protected information between the browser and server using brute force decryption methods. With advances in processor power and inexpensive clusters (like Amazon Web Service) the "export grade" encryption can be broken in roughly 7 hours, according to researchers.