On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they are vulnerable.
FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. They found that OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients are vulnerable to man-in-the-middle (MITM) attacks. Once attackers are able to intercept the HTTPS communication between vulnerable clients and servers, they force the connection to use the old export-grade encryption.
Attackers who “listen” in on the communication will then be able to decrypt the information with relative ease.
Apple’s SecureTransport is used by applications running on iOS and OS X. These include Safari for iPhones, iPads, and Macs. Meanwhile, OpenSSL is used by Android browsers and other application packages. From our understanding, the attack is possible only if the OpenSSL version is vulnerable to CVE-2015-0204.
OpenSSL has provided a patch for CVE-2015-0204 in January. Apple is reportedly deploying a patch for both mobile devices and computers.
Trend Micro recommends Android users to refrain from using the default Android browser in their devices. Instead, customers are advised to use Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected.
Trend Micro has some solutions that already provide protection against this vulnerability:
- Trend Micro Deep Security protects users from this vulnerability through the following DPI rule:
OpenSSL RSA Downgrade Vulnerability (CVE-2015-0204)
- For Servers: Deep Packet Inspection (DPI) Rules 1006561 and 1006562
- For Clients: Deep Packet Inspection (DPI) Rule 1006485
- Deep Security rule DSRU15-008
- Businesses running websites and other server applications using export grade ciphers should upgrade their systems and upgrade to the latest OpenSSL.
Trend Micro is currently investigating all products known to use this version of OpenSSL and will update the list of products affected as they become available. Customers and partners who may need additional information or have questions are encouraged to contact their authorized Trend Micro representatives.
Products that are not affected:
|Deep Discovery Analyzer|
|Deep Discovery Email Inspector|
|Interscan Messaging Security Virtual Appliance|
|Interscan Web Security Suite|
|Interscan Web Security Virtual Appliance|
|Trend Micro Mobile Security for Enterprise|
|Trend Micro Security for Mac|
|Trend Micro Smart Protection Server|
|Worry Free Business Security Services|