CVE-2020-1968 Overview
CVE-2020-1968, known as the "Raccoon attack," is a timing side-channel vulnerability in the TLS specification that affects implementations using Diffie-Hellman (DH) based ciphersuites. This vulnerability allows an attacker to compute the pre-master secret in TLS connections by exploiting subtle timing differences during the key exchange process. The attack can only succeed when an implementation re-uses a DH secret across multiple TLS connections, enabling attackers to eavesdrop on all encrypted communications sent over the compromised TLS connection.
Critical Impact
Successful exploitation allows attackers to decrypt TLS traffic and eavesdrop on sensitive communications when DH ciphersuites are used with secret reuse.
Affected Products
- OpenSSL 1.0.2 through 1.0.2v
- Canonical Ubuntu Linux 16.04 LTS and 18.04 LTS
- Debian Linux 9.0
- Oracle JD Edwards World Security A9.4
- Oracle PeopleSoft Enterprise PeopleTools 8.56, 8.57, 8.58
- Oracle Ethernet Switch firmware (ES2-64, ES2-72, ES1-24, TOR-72)
- Fujitsu M10 and M12 series firmware
Discovery Timeline
- September 9, 2020 - CVE-2020-1968 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-1968
Vulnerability Analysis
The Raccoon attack targets a fundamental weakness in how TLS handles Diffie-Hellman key exchanges. During the TLS handshake, when a DH-based ciphersuite is negotiated, the pre-master secret is derived from the shared DH value. The vulnerability arises because the TLS specification does not adequately prevent timing side-channel leakage during this process.
When implementations re-use DH secrets across multiple TLS connections, an attacker positioned to observe network traffic can measure subtle timing variations in server responses. These timing differences correlate with the leading bytes of the pre-master secret. By collecting numerous timing measurements across many connections using the same DH secret, an attacker can statistically recover enough information to compute the complete pre-master secret.
It is important to note that ECDH (Elliptic Curve Diffie-Hellman) ciphersuites are not affected by this vulnerability. OpenSSL 1.1.1 is also not vulnerable, as it does not re-use DH secrets in a manner that enables this attack.
Root Cause
The root cause is classified as CWE-203 (Observable Discrepancy), which occurs when the product behaves differently based on secret values in a way that is observable to an attacker. In this case, the TLS implementation's handling of DH key exchanges creates measurable timing differences that leak information about the pre-master secret when DH secrets are reused across multiple connections.
Attack Vector
The attack requires a network-based adversary capable of performing man-in-the-middle positioning to observe and measure TLS handshake timing. The attacker must:
- Position themselves to intercept TLS connections using DH ciphersuites
- Collect timing measurements from multiple connections that reuse the same DH secret
- Perform statistical analysis on timing data to extract leading bytes of the pre-master secret
- Use recovered information to compute the complete pre-master secret and decrypt traffic
The attack complexity is high as it requires precise timing measurements and statistical analysis across numerous connections. No privileges or user interaction are required from the target.
Detection Methods for CVE-2020-1968
Indicators of Compromise
- Unusual patterns of repeated TLS connection attempts to the same server endpoint
- Network traffic analysis showing DH-based ciphersuite negotiation with legacy OpenSSL versions
- Presence of OpenSSL 1.0.2 versions prior to 1.0.2w in production environments
Detection Strategies
- Audit TLS configurations to identify systems using DH ciphersuites with vulnerable OpenSSL versions
- Monitor for OpenSSL version 1.0.2 through 1.0.2v in software inventory scans
- Review TLS handshake logs for DH ciphersuite usage patterns
Monitoring Recommendations
- Implement network monitoring to detect high-frequency TLS handshake attempts that could indicate timing attacks
- Deploy TLS inspection capabilities to identify vulnerable ciphersuite negotiations
- Enable verbose logging on critical TLS-terminating infrastructure
How to Mitigate CVE-2020-1968
Immediate Actions Required
- Upgrade OpenSSL 1.0.2 installations to version 1.0.2w or migrate to OpenSSL 1.1.1 (recommended)
- Disable DH-based ciphersuites in favor of ECDH ciphersuites where possible
- Review and update TLS configurations on all affected systems including enterprise applications and network devices
Patch Information
OpenSSL has released version 1.0.2w to address this vulnerability. However, OpenSSL 1.0.2 is out of support and no longer receives public updates. Organizations should migrate to OpenSSL 1.1.1 or later versions, which are not affected by this vulnerability.
For detailed patch information, refer to the OpenSSL Security Advisory.
Additional vendor advisories:
- Ubuntu Security Notice USN-4504-1
- Debian LTS Announcement
- Oracle CPU January 2021 Alert
- NetApp Security Advisory
Workarounds
- Configure TLS servers to prefer ECDH ciphersuites over DH ciphersuites
- Disable static DH ciphersuites and ensure ephemeral DH (DHE) key generation occurs per-connection
- Consider implementing TLS 1.3 which eliminates the vulnerable key exchange patterns
# Disable DH ciphersuites in OpenSSL configuration
# Add to openssl.cnf or server configuration
CipherString = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!DH:!DHE
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
