CVE-2020-12872 Overview
CVE-2020-12872 is a cryptographic vulnerability affecting Yaws, a high-performance HTTP web server written in Erlang. The vulnerability exists in yaws_config.erl, which loads obsolete TLS ciphers when running on Erlang/OTP virtual machines with versions prior to 21.0. These deprecated ciphers are susceptible to the Sweet32 birthday attack, potentially allowing attackers to decrypt sensitive session data through prolonged traffic analysis.
Critical Impact
Systems running Yaws through version 2.0.2 or 2.0.7 on older Erlang/OTP runtimes (below 21.0) may expose encrypted communications to cryptographic attacks, allowing potential recovery of plaintext data from TLS-protected sessions.
Affected Products
- Yaws web server through version 2.0.2
- Yaws web server through version 2.0.7
- Systems running on Erlang/OTP virtual machines with versions less than 21.0
Discovery Timeline
- 2020-05-15 - CVE-2020-12872 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-12872
Vulnerability Analysis
The vulnerability stems from improper cryptographic cipher selection in the Yaws configuration module. When Yaws runs on Erlang/OTP versions prior to 21.0, the yaws_config.erl file loads a default set of TLS ciphers that includes obsolete 64-bit block ciphers such as 3DES (Triple DES). These ciphers are vulnerable to the Sweet32 attack, a birthday attack that exploits the limited block size to recover plaintext from encrypted communications.
The Sweet32 attack becomes practical when an attacker can capture approximately 32GB of encrypted traffic using the same session key. While this requires significant traffic capture, long-lived HTTPS connections and persistent TLS sessions make this attack feasible in real-world scenarios, particularly for high-traffic web applications.
Root Cause
The root cause lies in CWE-326: Inadequate Encryption Strength. The yaws_config.erl module does not properly filter out weak cipher suites when initializing TLS configurations on older Erlang/OTP runtimes. The vulnerable code section, located around lines 2068-2075 in the configuration file, includes deprecated ciphers in the default cipher list without considering the security implications of 64-bit block ciphers.
Erlang/OTP versions 21.0 and later addressed this by updating their default cipher suites, but Yaws versions through 2.0.2/2.0.7 do not account for this discrepancy when running on older runtime versions.
Attack Vector
The attack requires local access to capture encrypted network traffic. An attacker with the ability to intercept TLS-encrypted communications between clients and a vulnerable Yaws server can accumulate sufficient ciphertext to mount a Sweet32 attack. The attack proceeds as follows:
- The attacker identifies a Yaws server using obsolete TLS ciphers
- Traffic is captured over an extended period or during high-volume sessions
- Once approximately 2^32 blocks of data are collected, collision analysis enables partial plaintext recovery
- Session tokens, authentication cookies, or other repeated data patterns become vulnerable to extraction
For detailed technical analysis of this vulnerability, refer to the Medium CVE-2020-12872 Analysis and the Sweet32 Information Resource.
Detection Methods for CVE-2020-12872
Indicators of Compromise
- TLS connections negotiating 3DES or other 64-bit block cipher suites
- Yaws server logs showing cipher suite selections containing DES-CBC3 or similar deprecated algorithms
- Erlang/OTP runtime version below 21.0 detected in server environment
- Unusual volume of traffic capture attempts targeting HTTPS services
Detection Strategies
- Audit TLS cipher configurations using tools like nmap --script ssl-enum-ciphers to identify servers offering weak ciphers
- Monitor Yaws configuration files for the presence of deprecated cipher definitions in yaws_config.erl
- Implement network monitoring to detect long-duration TLS sessions that could facilitate Sweet32 attacks
- Review Erlang/OTP version deployed alongside Yaws installations
Monitoring Recommendations
- Configure security information and event management (SIEM) alerts for TLS handshakes using deprecated cipher suites
- Establish baseline metrics for TLS session duration and flag anomalously long connections
- Deploy vulnerability scanners to periodically assess web server cipher suite configurations
- Monitor for unauthorized network packet capture activity targeting HTTPS traffic
How to Mitigate CVE-2020-12872
Immediate Actions Required
- Upgrade Erlang/OTP runtime to version 21.0 or later to benefit from improved default cipher suites
- Update Yaws to the latest available version that addresses cipher configuration issues
- Manually configure TLS settings to explicitly exclude 64-bit block ciphers from allowed cipher suites
- Audit all production Yaws deployments to identify vulnerable configurations
Patch Information
The vulnerability can be addressed by updating to newer versions of both Yaws and the Erlang/OTP runtime. Review the GitHub Yaws Release Notes for the latest security updates. The specific code changes related to this issue can be examined in the GitHub Yaws Code Snippet and tracked via the GitHub Yaws Issue Tracker.
Workarounds
- Explicitly configure Yaws to use only strong cipher suites with 128-bit or larger block sizes
- Implement TLS 1.2 or TLS 1.3 with modern AEAD ciphers such as AES-GCM or ChaCha20-Poly1305
- Deploy a reverse proxy with properly configured TLS termination in front of vulnerable Yaws instances
- Limit TLS session duration to reduce the window for Sweet32 attack feasibility
# Example: Check Erlang/OTP version and update if necessary
erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'
# If version is below 21, upgrade Erlang/OTP to version 21.0 or later
# Consult your package manager or Erlang documentation for upgrade procedures
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
