Makers of the mobile encrypted chat app Signal say they have fixed vulnerabilities in the Android version of the messaging app that allowed attackers to corrupt encrypted attachments and remotely crash the application. The vulnerabilities were discovered by Jean-Philippe Aumasson and Markus Vervier who explained the “low severity” bugs in research note posted Thursday. The vulnerabilities were also acknowledged by Signal developer, Open Whisper Systems, which also described the vulnerabilities as low severity.
One of the bugs allows an attacker to modify an attachment sent by an Android user of the Signal messaging client. The vulnerability allows a third party that has compromised a Signal server to intercept an encrypted attachment and add psuedorandom data increasing the attachment to an unmanageable 4GB in size. The prerequisites of compromising the Signal server for this attack are not insignificant researchers acknowledge. “The exploitation isn’t straightforward,” Aumasson told Threatpost. “However, Signal’s threat model is end-to-end security, therefore any method that compromises confidentiality or integrity using a man-in-the-middle attack qualifies as an attack on Signal’s security.” Aumasson and Vervier said they never compromised a Signal server for their research, rather created a proof-of-concept Signal attachment storage server for its research. “An entity with access to Amazon S3 or having access to any of the CA certificates commonly found in trust stores on Android or other systems, could modify attachments in the following way: Watch for a request to fetch an attachment.. Fetch the original attachment of size X.. Pad the attachment with data of size 4GB + 1byte, resulting in a total size of X + 4GB + 1,” Aumasson and Vervier wrote. Aumasson noted that the compromise can also be carried out by any attacker that owns a signing key for one of the certificates trusted by Android, or with a rogue certificate a victim is tricked into installing on their device. Ultimately, by increasing the attachment size to more than 4GB, researchers say an attacker can take advantage of an integer overflow flaw to bypass the encryption message authentication code (MAC) checks. “If the 4GB transfer runs in background it can easily go unnoticed,” Aumasson said. “And the (4GB) file may be compressed down a dozen MBs, so that you’ll only need to transfer a few MBs instead of GBs.” In their research, Aumasson and Vervier note, “If we use HTTP stream compression with gzip we can create 4GB files which compress down to 4.5MB.” “The severity of the MAC bypass bug is also likely low (crash), but we are still investigating as it might allow further attacks via advanced vectors (but we can neither confirm nor deny at this point if there is an impact),” Vervier told Threatpost. “These bugs seem to be the first published vulnerabilities in Signal and show that even such a high profile application that is in strong focus may have a vulnerability,” Vervier wrote. The bugs, Aumasson and Vervier said, are limited to the Android Signal app. “The published bugs are not affecting iOS to our best knowledge since the implementation is different and we did not look at it as much as the Java reference implementation on Android. We are also verifying what bugs affect other systems such as WhatsApp.” The second bug could allow a third party to crash the Android Signal app and is tied to the way the app handles real-time transport protocol (RTP) network traffic used in delivering audio and video content. According to Vervier, a contact initiating a call with recipient, can crash the Signal application without any compromise of the Signal servers. “It cannot be used to execute malicious code or leak any private data. This is due to the fact that there is another bug (a second integer underflow) that causes the crash and prevents any further exploitation,” Vervier wrote. He added, “The severity of the RTP Packet handling bug would be low, as it is only a DoS that crashes the Signal application.” Aumasson and Vervier said “those using the RtpPacket class should update to a fixed version, as in other contexts it might be exploitable. But to recap: On Signal-Android it is not exploitable beyond a remote crash of the Signal application.” Open Whisper Systems was notified privately of the vulnerabilities on Tuesday and fixed them the same day, Vervier said. 0