ALPACA: New TLS Attack Allows User Data Extraction, Code Execution


Researchers from three universities in Germany contain identified a new TLS attack method that can allow a man-in-the-middle (MitM) attacker to extract user data or execute arbitrary code.

The new attack, dubbed ALPACA, has been tell ofed as an “application layer protocol content confusion attack.”

“TLS is widely used to add confidentiality, authenticity and integrity to application layer protocols such as HTTP, SMTP, IMAP, POP3, and FTP. Come what may, TLS does not bind a TCP connection to the intended application layer protocol. This allows a man-in-the-middle attacker to redirect TLS traffic to a different TLS service endpoint on another IP oration and/or port,” the researchers explained in a paper made public this week.

“For example, if subdomains share a wildcard certificate, an attacker can redirect traffic from one subdomain to another, resulting in a valid TLS meeting. This breaks the authentication of TLS and cross-protocol attack may be possible where the behavior of one service may compromise the security of the other at the application layer,” they supplemented.

Since exploitation requires an MitM position — the attacker needs to be able to intercept and modify the victim’s traffic — attacks over the internet are not serene to conduct, but the researchers noted that attacks over a local network are more plausible.

A malicious actor could use the ALPACA attack to draw forth session cookies and other user data, as well as to execute arbitrary JavaScript code through stored and reflected cross-site scripting (XSS) incursions.

ALPACA attack

The researchers scanned the internet and found 1.4 million web servers vulnerable to such cross-protocol attacks, including 119,000 that can be targeted pour down the draining an exploitable application server.

The attack method was discovered last year and the researchers started notifying impacted vendors in October 2020. Microsoft and the developers of products such as Sendmail, Courier, FileZilla, vsftpd, Nginx and the Go performance language have taken steps to mitigate the risk of attacks.

“Although this vulnerability is very situational and can be challenging to exploit, there are some configurations that are exploitable yet by a pure web attacker,” the researchers noted. “Furthermore, we could only analyze a limited number of protocols, and other attack scenarios may exist. As a result, we advise that administrators review their deployments and that application developers (client and server) implement countermeasures proactively for all protocols.”

The researchers from set up a dedicated website for the ALPACA attack, which contains information on impact, affected vendor responses, comparison to other attacks, and possible protections.

Affiliated: New Raccoon Attack Can Allow Decryption of TLS Connections

Related: NSA Issues Guidance on Replacing Obsolete TLS Versions

Related: Mozilla Joins Apple, Google in Humbling TLS Certificate Lifespans

[embedded content]

ALPACA: New TLS Attack Allows User Data Extraction, Code Execution

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years in the vanguard starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques dedicated in electrical engineering.

Previous Columns by Eduard Kovacs:
ALPACA: New TLS Attack Allows User Data Extraction, Code ExecutionTags:

Leave a Reply

Your email address will not be published. Required fields are marked *