[BreachExchange] ALPACA: New TLS Attack Allows User Data Extraction, Code Execution

[Sophia Kingsbury]

https://www.securityweek.com/alpaca-new-tls-attack-allows-user-data-extraction-code-execution

Researchers from three universities in Germany have identified a new TLS
attack method that can allow a man-in-the-middle (MitM) attacker to extract
user data or execute arbitrary code.

The new attack, dubbed ALPACA, has been described as an “application layer
protocol content confusion attack.”

“TLS is widely used to add confidentiality, authenticity and integrity to
application layer protocols such as HTTP, SMTP, IMAP, POP3, and FTP.
However, TLS does not bind a TCP connection to the intended application
layer protocol. This allows a man-in-the-middle attacker to redirect TLS
traffic to a different TLS service endpoint on another IP address and/or
port,” the researchers explained in a paper made public this week.

“For example, if subdomains share a wildcard certificate, an attacker can
redirect traffic from one subdomain to another, resulting in a valid TLS
session. This breaks the authentication of TLS and cross-protocol attack
may be possible where the behavior of one service may compromise the
security of the other at the application layer,” they added.

Since exploitation requires an MitM position — the attacker needs to be
able to intercept and modify the victim’s traffic — attacks over the
internet are not easy to conduct, but the researchers noted that attacks
over a local network are more plausible.

A malicious actor could use the ALPACA attack to extract session cookies
and other user data, as well as to execute arbitrary JavaScript code
through stored and reflected cross-site scripting (XSS) attacks.

The researchers scanned the internet and found 1.4 million web servers
vulnerable to such cross-protocol attacks, including 119,000 that can be
targeted using an exploitable application server.

The attack method was discovered last year and the researchers started
notifying impacted vendors in October 2020. Microsoft and the developers of
products such as Sendmail, Courier, FileZilla, vsftpd, Nginx and the Go
programming language have taken steps to mitigate the risk of attacks.

“Although this vulnerability is very situational and can be challenging to
exploit, there are some configurations that are exploitable even by a pure
web attacker,” the researchers noted. “Furthermore, we could only analyze a
limited number of protocols, and other attack scenarios may exist. Thus, we
advise that administrators review their deployments and that application
developers (client and server) implement countermeasures proactively for
all protocols.”

The researchers have set up a dedicated website for the ALPACA attack,
which contains information on impact, affected vendor responses, comparison
to other attacks, and possible protections.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210610/e0e1110a/attachment.html>