Bugzilla – Bug 1187678
VUL-0: CVE-2021-3618: ALPACA Attack Tracker
Last modified: 2024-05-23 15:37:01 UTC
======================================= | This issue is meant to track software | | that are mitigating the ALPACA attack | ======================================= * What is ALPACA? ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. * Why does TLS not protect the TCP connection endpoints? The ALPACA attack is only possible because TLS does not protect the source or destination IP and port address of the TCP connection. As is stated in the TLS RFC, TLS is application layer independent. However, this gap in protection gives the attacker the flexibility to redirect traffic from one server to another. If the presented certificate of the substitute server is compatible with that of the intended server, the general content confusion attack is possible (although it depends on the server and client behavior if it can actually be exploited). * How practical is the attack? Most attacks require an active Man-in-the-Middle attacker, that means some way for an attacker to intercept and modify the data sent from the victim’s browser to the web server. This is difficult on the Internet, but can be a plausible attacker model on the local network. Also, some attack variations do not require a Man-in-the-Browser, and thus are more dangerous. In particular, if you are still using Internet Explorer, we recommend you update to the latest version from June 8th, 2021. * How have vendors responded to this vulnerability? Many vendors have updated their application servers to remove exploitation vectors or add countermeasures in the application layer and/or TLS implementation. TLS library maintainers have reviewed the ALPN and SNI implementations and updated their code and documentation to allow easy implementation of countermeasures by developers. To prevent the attacks in the pure browser attacker model, browser vendors have blocked more standard application ports and disabled content-sniffing in more scenarios. More information can be found on the official website [0] or from the official whitepaper [1]. [0] https://alpaca-attack.com [1] https://alpaca-attack.com/ALPACA.pdf
SUSE-SU-2022:3320-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1021387,1052900,1187678,1187686,786024 CVE References: CVE-2021-3618 JIRA References: PM-3322 Sources used: openSUSE Leap 15.4 (src): vsftpd-3.0.5-150400.3.3.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): vsftpd-3.0.5-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3383-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1021387,1052900,1187678,1187686,786024 CVE References: CVE-2021-3618 JIRA References: PM-3322 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): vsftpd-3.0.5-47.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3457-1: An update that solves one vulnerability, contains two features and has 6 fixes is now available. Category: security (important) Bug References: 1021387,1052900,1181400,1187678,1187686,786024,971784 CVE References: CVE-2021-3618 JIRA References: PM-3322,SLE-23896 Sources used: openSUSE Leap 15.3 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Server 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Retail Branch Server 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Manager Proxy 4.1 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): vsftpd-3.0.5-150200.12.9.1 SUSE Enterprise Storage 7 (src): vsftpd-3.0.5-150200.12.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3458-1: An update that solves one vulnerability, contains two features and has 6 fixes is now available. Category: security (important) Bug References: 1021387,1052900,1181400,1187678,1187686,786024,971784 CVE References: CVE-2021-3618 JIRA References: PM-3322,SLE-23895 Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server for SAP 15 (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise Server 15-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): vsftpd-3.0.5-150000.7.19.1 SUSE Enterprise Storage 6 (src): vsftpd-3.0.5-150000.7.19.1 SUSE CaaS Platform 4.0 (src): vsftpd-3.0.5-150000.7.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3888-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1021387,1052900,1187678,1187686,786024 CVE References: CVE-2021-3618 JIRA References: PM-3322 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): vsftpd-3.0.5-51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.