From e3ead6deb780263db670bafd882fac7e956a773c Mon Sep 17 00:00:00 2001 From: Ryan Parman Date: Fri, 6 Dec 2024 08:44:29 -0700 Subject: [PATCH] Vulns and classes. --- config/_default/taxonomies.toml | 9 ++++-- content/classes/_index.md | 7 +++++ content/classes/bit-flipping.md | 23 +++++++++++++++ ...e-force-against-export-grade-encryption.md | 21 ++++++++++++++ content/classes/compression-attack.md | 27 +++++++++++++++++ content/classes/data-leakage.md | 27 +++++++++++++++++ content/classes/denial-of-service.md | 21 ++++++++++++++ content/classes/downgrade-attack.md | 29 +++++++++++++++++++ content/classes/side-channel-attack.md | 23 +++++++++++++++ content/learning/tls/_index.md | 5 ---- content/learning/tls/anon.md | 9 ++++++ content/learning/tls/cbc.md | 2 +- content/vulns/beast.md | 4 +-- content/vulns/breach.md | 4 +-- content/vulns/cloudbleed.md | 6 ++-- content/vulns/crime.md | 4 +-- content/vulns/dheatattack.md | 8 +++-- content/vulns/drown.md | 4 +-- content/vulns/freak.md | 4 +-- content/vulns/heartbleed.md | 4 +-- content/vulns/heist.md | 4 +-- content/vulns/logjam.md | 14 ++++----- content/vulns/lucky-13.md | 6 ++-- content/vulns/nomore.md | 4 +-- content/vulns/poodle.md | 4 +-- content/vulns/racoon.md | 4 +-- content/vulns/sweet32.md | 4 +-- hugo_stats.json | 12 ++++++-- themes/dst2024 | 2 +- 29 files changed, 246 insertions(+), 49 deletions(-) create mode 100644 content/classes/_index.md create mode 100644 content/classes/bit-flipping.md create mode 100644 content/classes/brute-force-against-export-grade-encryption.md create mode 100644 content/classes/compression-attack.md create mode 100644 content/classes/data-leakage.md create mode 100644 content/classes/denial-of-service.md create mode 100644 content/classes/downgrade-attack.md create mode 100644 content/classes/side-channel-attack.md diff --git a/config/_default/taxonomies.toml b/config/_default/taxonomies.toml index 6c5eb1c..85fbac6 100644 --- a/config/_default/taxonomies.toml +++ b/config/_default/taxonomies.toml @@ -1,3 +1,8 @@ -class = 'class' +class = 'classes' vuln = 'vulns' -year = 'year' +year = 'years' + +disableKinds = [ + 'taxonomy', + 'term', +] diff --git a/content/classes/_index.md b/content/classes/_index.md new file mode 100644 index 0000000..a5c40d1 --- /dev/null +++ b/content/classes/_index.md @@ -0,0 +1,7 @@ +--- +title: Classes of Vulnerabilities +description: +layout: list +--- + +## By type diff --git a/content/classes/bit-flipping.md b/content/classes/bit-flipping.md new file mode 100644 index 0000000..dbf84f3 --- /dev/null +++ b/content/classes/bit-flipping.md @@ -0,0 +1,23 @@ +--- +title: Bit-Flipping Attacks +description: Cryptographic cipher attack +layout: class + +learn_more: + - text: 'What Is A Bit Flipping Attack? How It Works & Examples' + url: https://www.twingate.com/blog/glossary/bit-flipping-attack + source: Twingate + +--- + +## Overview + +From [Wikipedia]: + +> A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself. Note that this type of attack is not—directly—against the cipher itself (as cryptanalysis of it would be), but against a particular message or series of messages. In the extreme, this could become a Denial of service attack against all messages on a particular channel using that cipher. +> +> The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message. +> +> When applied to digital signatures, the attacker might be able to change a promissory note stating "I owe you $10.00" into one stating "I owe you $10,000". + +[Wikipedia]: https://en.wikipedia.org/wiki/Bit-flipping_attack diff --git a/content/classes/brute-force-against-export-grade-encryption.md b/content/classes/brute-force-against-export-grade-encryption.md new file mode 100644 index 0000000..c0698ff --- /dev/null +++ b/content/classes/brute-force-against-export-grade-encryption.md @@ -0,0 +1,21 @@ +--- +title: Brute Force against Export-Grade Encryption +description: Encryption can be broken in a matter of days using a single computer +layout: class + +# learn_more: +# - text: 'What Is A Bit Flipping Attack? How It Works & Examples' +# url: https://www.twingate.com/blog/glossary/bit-flipping-attack +# source: Twingate + +--- + +## Overview + +From [Wikipedia]: + +> Netscape's SSL technology was widely adopted as a method for protecting credit card transactions using public key cryptography. Netscape developed two versions of its web browser. The "U.S. edition" supported full size (typically 1024-bit or larger) RSA public keys in combination with full size symmetric keys (secret keys) (128-bit RC4 or 3DES in SSL 3.0 and TLS 1.0). +> +> The "International Edition" had its effective key lengths reduced to 512 bits and 40 bits respectively (RSA_EXPORT with 40-bit RC2 or RC4 in SSL 3.0 and TLS 1.0). Acquiring the 'U.S. domestic' version turned out to be sufficient hassle that most computer users, even in the U.S., ended up with the 'International' version, whose weak 40-bit encryption can currently be broken in a matter of days using a single computer. A similar situation occurred with Lotus Notes for the same reasons. + +[Wikipedia]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States diff --git a/content/classes/compression-attack.md b/content/classes/compression-attack.md new file mode 100644 index 0000000..fe29698 --- /dev/null +++ b/content/classes/compression-attack.md @@ -0,0 +1,27 @@ +--- +title: Compression Attack +description: Attacker can know whether the page contains data by observing the encrypted stream +layout: class + +learn_more: + - text: 'What Are Compression Side Channel Attacks?' + url: https://venafi.com/blog/what-are-compression-side-channel-attacks/ + source: Venafi + + - text: 'How are websites actually mititating BREACH? (HTTPS + compression)' + url: https://security.stackexchange.com/questions/222677/how-are-websites-actually-mititating-breach-https-compression + source: Stack Exchange + + - text: 'The VORACLE attack vulnerability' + url: https://openvpn.net/security-advisory/the-voracle-attack-vulnerability/ + source: OpenVPN + +--- + +## Overview + +From [Wikipedia]: + +> Compression allows a form of chosen plaintext attack to be performed: if an attacker can inject any chosen content into the page, they can know whether the page contains their given content by observing the size increase of the encrypted stream. If the increase is smaller than expected for random injections, it means that the compressor has found a repeat in the text, i.e. the injected content overlaps the secret information. This is the idea behind CRIME. + +[Wikipedia]: https://en.wikipedia.org/wiki/HTTP_compression#Security_implications diff --git a/content/classes/data-leakage.md b/content/classes/data-leakage.md new file mode 100644 index 0000000..bbfef87 --- /dev/null +++ b/content/classes/data-leakage.md @@ -0,0 +1,27 @@ +--- +title: Data Leakage +description: Software bugs which expose sensitive data +layout: class + +learn_more: + - text: 'Data Leakage' + url: https://www.rapid7.com/fundamentals/what-is-data-leakage/ + source: Rapid7 + + - text: 'What is data leakage?' + url: https://www.ibm.com/think/topics/data-leakage + source: IBM + + - text: 'What is data leakage?' + url: https://www.crowdstrike.com/en-us/cybersecurity-101/data-protection/data-leakage/ + source: CrowdStrike + +--- + +## Overview + +From [Wikipedia]: + +> Despite developers' goal of delivering a product that works entirely as intended, virtually all software and hardware contains bugs. If a bug creates a security risk, it is called a vulnerability. Patches are often released to fix identified vulnerabilities, but those that remain unknown (zero days) as well as those that have not been patched are still liable for exploitation. Both software written by the target of the breach and third party software used by them are vulnerable to attack. The software vendor is rarely legally liable for the cost of breaches, thus creating an incentive to make cheaper but less secure software. + +[Wikipedia]: https://en.wikipedia.org/wiki/Data_breach diff --git a/content/classes/denial-of-service.md b/content/classes/denial-of-service.md new file mode 100644 index 0000000..148d6aa --- /dev/null +++ b/content/classes/denial-of-service.md @@ -0,0 +1,21 @@ +--- +title: Denial of Service +description: Overloading a machine by flooding it with requests +layout: class + +# learn_more: +# - text: 'What Is A Bit Flipping Attack? How It Works & Examples' +# url: https://www.twingate.com/blog/glossary/bit-flipping-attack +# source: Twingate + +--- + +## Overview + +From [Wikipedia]: + +> A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. +> +> Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address. + +[Wikipedia]: https://en.wikipedia.org/wiki/Denial-of-service_attack diff --git a/content/classes/downgrade-attack.md b/content/classes/downgrade-attack.md new file mode 100644 index 0000000..4a443ce --- /dev/null +++ b/content/classes/downgrade-attack.md @@ -0,0 +1,29 @@ +--- +title: Downgrade Attack +description: Cryptographic attack which abandons a high-quality mode in favor of a lower-quality mode +layout: class + +learn_more: + - text: 'What are downgrade attacks?' + url: https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/downgrade-attack/ + source: CrowdStrike + + - text: 'Downgrade Attacks: What They Are, How to Prevent Them' + url: https://venafi.com/blog/preventing-downgrade-attacks/ + source: Venafi + + - text: 'What Is A Protocol Downgrade Attack? How It Works and Examples' + url: https://www.twingate.com/blog/glossary/protocol%20downgrade%20attack + source: Twingate + +--- + +## Overview + +From [Wikipedia]: + +> A downgrade attack is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g., an encrypted connection) in favor of an older, lower-quality mode of operation (e.g., cleartext) that is typically provided for backward compatibility with older systems. +> +> An example of such a flaw was found in OpenSSL that allowed the attacker to negotiate the use of a lower version of TLS between the client and server. This is one of the most common types of downgrade attacks. Opportunistic encryption protocols such as STARTTLS are generally vulnerable to downgrade attacks, as they, by design, fall back to unencrypted communication. Websites which rely on redirects from unencrypted HTTP to encrypted HTTPS can also be vulnerable to downgrade attacks, as the initial redirect is not protected by encryption. + +[Wikipedia]: https://en.wikipedia.org/wiki/Downgrade_attack diff --git a/content/classes/side-channel-attack.md b/content/classes/side-channel-attack.md new file mode 100644 index 0000000..eb66a44 --- /dev/null +++ b/content/classes/side-channel-attack.md @@ -0,0 +1,23 @@ +--- +title: Side-Channel Attack +description: Timing information, power consumption, electromagnetic leaks, and sound +layout: class + +learn_more: + - text: 'Side-Channel Attack' + url: https://csrc.nist.gov/glossary/term/side_channel_attack + source: NIST + + - text: 'What is a Side-Channel Attack? How It Works and Examples' + url: https://www.twingate.com/blog/glossary/side-channel%20attack + source: Twingate + +--- + +## Overview + +From [Wikipedia]: + +> A side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself (e.g., flaws found in a cryptanalysis of a cryptographic algorithm) or minor, but potentially devastating, mistakes or oversights in the implementation. (Cryptanalysis also includes searching for side-channel attacks.) Timing information, power consumption, electromagnetic leaks, and sound are examples of extra information which could be exploited to facilitate side-channel attacks. + +[Wikipedia]: https://en.wikipedia.org/wiki/Side-channel_attack diff --git a/content/learning/tls/_index.md b/content/learning/tls/_index.md index ed13def..e08849f 100644 --- a/content/learning/tls/_index.md +++ b/content/learning/tls/_index.md @@ -46,10 +46,5 @@ If any one part of a cipher suite has an issue, it can compromise the integrity Security vulnerabilities can impact _classes_ of cipher suites. -[depr-sslv2]: https://datatracker.ietf.org/doc/html/rfc6176 -[depr-sslv3]: https://datatracker.ietf.org/doc/html/rfc7568 -[SSLv3]: https://datatracker.ietf.org/doc/html/rfc6101 -[TLS 1.0]: https://datatracker.ietf.org/doc/html/rfc2246 -[TLS 1.1]: https://datatracker.ietf.org/doc/html/rfc4346 [TLS 1.2]: https://datatracker.ietf.org/doc/html/rfc5246 [TLS 1.3]: https://datatracker.ietf.org/doc/html/rfc8446 diff --git a/content/learning/tls/anon.md b/content/learning/tls/anon.md index aacff0d..16a65a5 100644 --- a/content/learning/tls/anon.md +++ b/content/learning/tls/anon.md @@ -3,6 +3,15 @@ title: Anonymous Key Exchanges # description: layout: learn-single +learn_more: + - text: 'Key-agreement protocol' + url: https://en.wikipedia.org/wiki/Key-agreement_protocol + source: Wikipedia + + # - text: '' + # url: + # source: + --- ## Summary diff --git a/content/learning/tls/cbc.md b/content/learning/tls/cbc.md index b815da5..723377e 100644 --- a/content/learning/tls/cbc.md +++ b/content/learning/tls/cbc.md @@ -16,4 +16,4 @@ The [CBC] encryption algorithm suffers from a handful of vulnerabilites, namely Any cipher suite with `CBC` in the name should be avoided. -[CBC]: https://en.wikipedia.org/w/index.php?title=Block_cipher_mode_of_operation#CBC +[CBC]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC) diff --git a/content/vulns/beast.md b/content/vulns/beast.md index 795a18f..89bb2ec 100644 --- a/content/vulns/beast.md +++ b/content/vulns/beast.md @@ -1,10 +1,10 @@ --- title: BEAST description: Browser Exploit Against SSL/TLS -layout: term +layout: vuln year: 2011 -class: +classes: - Data leakage learn_more: diff --git a/content/vulns/breach.md b/content/vulns/breach.md index fc0dca1..754a6b3 100644 --- a/content/vulns/breach.md +++ b/content/vulns/breach.md @@ -1,10 +1,10 @@ --- title: BREACH description: Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext -layout: term +layout: vuln year: 2013 -class: +classes: - Compression attack learn_more: diff --git a/content/vulns/cloudbleed.md b/content/vulns/cloudbleed.md index 73425f8..3654850 100644 --- a/content/vulns/cloudbleed.md +++ b/content/vulns/cloudbleed.md @@ -1,10 +1,10 @@ --- title: Cloudbleed -description: '@TODO' -layout: term +description: Vulnerability in Cloudflare’s HTML parser +layout: vuln year: 2017 -class: +classes: - Data leakage learn_more: diff --git a/content/vulns/crime.md b/content/vulns/crime.md index f6e1a46..0153af9 100644 --- a/content/vulns/crime.md +++ b/content/vulns/crime.md @@ -1,10 +1,10 @@ --- title: CRIME description: Compression Ratio Info-leak Made Easy -layout: term +layout: vuln year: 2012 -class: +classes: - Compression attack learn_more: diff --git a/content/vulns/dheatattack.md b/content/vulns/dheatattack.md index e21d9df..178d9b2 100644 --- a/content/vulns/dheatattack.md +++ b/content/vulns/dheatattack.md @@ -1,12 +1,12 @@ --- title: DHEat Attack description: Triggering Diffie-Hellman to eat the CPU -layout: term +layout: vuln year: - 2002 - - 2022 (PoC) -class: + - 2022 +classes: - Denial-of-service learn_more: @@ -25,6 +25,8 @@ learn_more: The [DHEat Attack] is a denial-of-service vulnerability targeting the Diffie-Hellman key exchange (DHE) algorithm, exploiting its CPU-intensive operations to overload servers using protocols like TLS, SSH, IPsec, and OpenVPN. +While the bug was identified in 2002, a proof-of-concept was created in 2022. + It impacts systems with DHE enabled for backward compatibility or forward secrecy. Its unauthenticated, low-cost exploitability make this a notable vulnerability. While the protocol flaw is unfixable, mitigation includes disabling DHE in favor of ECDHE, applying rate-limiting techniques, and updating server configurations. The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with recommended cipher suites) and TLS 1.3. diff --git a/content/vulns/drown.md b/content/vulns/drown.md index 7c53df7..c3741fe 100644 --- a/content/vulns/drown.md +++ b/content/vulns/drown.md @@ -1,10 +1,10 @@ --- title: DROWN description: Decrypting RSA with Obsolete and Weakened eNcryption -layout: term +layout: vuln year: 2016 -class: +classes: - Downgrade attack - Brute force against export-grade encryption diff --git a/content/vulns/freak.md b/content/vulns/freak.md index 67b7a7c..52f3bfb 100644 --- a/content/vulns/freak.md +++ b/content/vulns/freak.md @@ -1,10 +1,10 @@ --- title: FREAK description: Factoring RSA Export Keys -layout: term +layout: vuln year: 2015 -class: +classes: - Downgrade attack - Brute force against export-grade encryption diff --git a/content/vulns/heartbleed.md b/content/vulns/heartbleed.md index 05fa4ce..89842b7 100644 --- a/content/vulns/heartbleed.md +++ b/content/vulns/heartbleed.md @@ -1,10 +1,10 @@ --- title: Heartbleed description: Vulnerability in OpenSSL’s implementation of the TLS/DTLS heartbeat extension -layout: term +layout: vuln year: 2014 -class: +classes: - Data leakage learn_more: diff --git a/content/vulns/heist.md b/content/vulns/heist.md index 4bbf874..9d97174 100644 --- a/content/vulns/heist.md +++ b/content/vulns/heist.md @@ -1,10 +1,10 @@ --- title: HEIST description: HTTP Encrypted Information can be Stolen through TCP-windows -layout: term +layout: vuln year: 2016 -class: +classes: - Compression attack - Side-channel attack diff --git a/content/vulns/logjam.md b/content/vulns/logjam.md index 1c2d5f6..bd82b9e 100644 --- a/content/vulns/logjam.md +++ b/content/vulns/logjam.md @@ -1,10 +1,10 @@ --- title: Logjam -description: -layout: term +description: Vulnerability with Diffie-Hellman and export-grade cryptography +layout: vuln year: 2015 -class: +classes: - Downgrade attack - Brute force against export-grade encryption @@ -15,14 +15,14 @@ learn_more: - text: 'NSA in P/poly: The Power of Precomputation' url: https://scottaaronson.blog/?p=2293 - - text: 'CVE-2015-4000' - url: https://nvd.nist.gov/vuln/detail/CVE-2015-4000 - source: NIST - - text: 'Logjam: the latest TLS vulnerability explained' url: https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained/ source: Cloudflare + - text: 'CVE-2015-4000' + url: https://nvd.nist.gov/vuln/detail/CVE-2015-4000 + source: NIST + --- ## Overview diff --git a/content/vulns/lucky-13.md b/content/vulns/lucky-13.md index b071a3c..bc0d437 100644 --- a/content/vulns/lucky-13.md +++ b/content/vulns/lucky-13.md @@ -1,10 +1,10 @@ --- title: Lucky 13 -description: 5 bytes of TLS header plus 8 bytes of TLS sequence number makes this attack possible. -layout: term +description: 5 bytes of TLS header plus 8 bytes of TLS sequence number makes this attack possible +layout: vuln year: 2013 -class: +classes: - Side-channel attack learn_more: diff --git a/content/vulns/nomore.md b/content/vulns/nomore.md index 02d346e..b5f00f2 100644 --- a/content/vulns/nomore.md +++ b/content/vulns/nomore.md @@ -1,10 +1,10 @@ --- title: RC4 NOMORE description: Numerous Occurrence MOnitoring and Recovery Exploit -layout: term +layout: vuln year: 2015 -class: +classes: - Bit-flipping learn_more: diff --git a/content/vulns/poodle.md b/content/vulns/poodle.md index 57b0d0f..d1a2d61 100644 --- a/content/vulns/poodle.md +++ b/content/vulns/poodle.md @@ -1,10 +1,10 @@ --- title: POODLE description: Padding Oracle On Downgraded Legacy Encryption -layout: term +layout: vuln year: 2014 -class: +classes: - Downgrade attack learn_more: diff --git a/content/vulns/racoon.md b/content/vulns/racoon.md index 3b1397a..69a379f 100644 --- a/content/vulns/racoon.md +++ b/content/vulns/racoon.md @@ -1,10 +1,10 @@ --- title: Racoon description: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E) -layout: term +layout: vuln year: 2020 -class: +classes: - Side-channel attack learn_more: diff --git a/content/vulns/sweet32.md b/content/vulns/sweet32.md index 89a5f9b..165ed67 100644 --- a/content/vulns/sweet32.md +++ b/content/vulns/sweet32.md @@ -1,10 +1,10 @@ --- title: Sweet32 description: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN -layout: term +layout: vuln year: 2016 -class: +classes: - Brute force against export-grade encryption learn_more: diff --git a/hugo_stats.json b/hugo_stats.json index 52fa7a0..c24ea05 100644 --- a/hugo_stats.json +++ b/hugo_stats.json @@ -2,6 +2,7 @@ "htmlElements": { "tags": [ "a", + "blockquote", "body", "br", "button", @@ -30,7 +31,6 @@ "p", "path", "picture", - "pre", "script", "source", "span", @@ -62,6 +62,7 @@ "bg-white", "block", "border-t-2", + "col-span-1", "dark:bg-[#171e21]", "dark:bg-black", "dark:bg-gray-950", @@ -97,6 +98,7 @@ "font-medium", "font-normal", "font-semibold", + "gap-4", "gap-x-12", "gap-x-2", "gap-y-3", @@ -121,16 +123,20 @@ "leading-6", "leading-tight", "lg:-mx-8", + "lg:col-span-3", "lg:flex", "lg:gap-x-10", + "lg:grid-cols-4", "lg:px-8", "max-w-2xl", "max-w-7xl", "md:block", + "md:col-span-1", "md:col-span-2", "md:divide-x", "md:divide-y-0", "md:gap-x-6", + "md:grid-cols-1", "md:grid-cols-3", "md:hidden", "md:ml-6", @@ -240,6 +246,7 @@ "b", "brief-descriptions-of-http", "by-name", + "by-type", "c", "devsec-tools", "footer-heading", @@ -257,7 +264,8 @@ "summary", "tls-12-with-_forward-secrecy_", "tls-13", - "tmpl-single" + "tmpl-single", + "vulnerabilities-of-this-type" ] } } diff --git a/themes/dst2024 b/themes/dst2024 index c9859d0..ff04ebc 160000 --- a/themes/dst2024 +++ b/themes/dst2024 @@ -1 +1 @@ -Subproject commit c9859d0cd0a1ccb0af4450cfb04b7768df4ef831 +Subproject commit ff04ebc17b336fd244cb8ea5316a766528348d97