Researchers have discovered a new vulnerability on Transport layer security named “ALPACA” which is planned to be presented in Black Hat USA 2021.

A team of researchers from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University had identified a new TLS vulnerability named “Application Layer Protocol Content Confusion Attack using which an attackers can redirect traffic from one sub-domain to another leading to be a valid TLS session.

We investigate cross-protocol attacks on TLS in general and conducted a systematic case study on web servers, redirecting HTTPS requests from a victim’s web browser to SMTP, IMAP, POP3, and FTP servers. We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security.” stated in the research paper.

How this can be exploited?

Using this “ALPACA” attack an adversary can steal website’s cookies or perform XSS attack .The study said “the potential consequences to the general ALPACA attack are dependent on the interactions of two unknown protocols, so any number of undesirable behaviors may be possible.”

Is your website / mail server/ ftp vulnerable?

The answer is yes, if below conditions are true:

  1. Hosted several TLS enabled application servers on same hostname.
  2. If you used multi-domain Certificates.
  3. you may be vulnerable if you wild-card certificates.
  4. If your application servers has exploitable(read as vulnerable) upload, download or any other reflection vectors which may dangerously impact the security posture of the webserver.

Responsible Disclosure Timeline

  • 2020-10-20: Initial contact with Eric Rescorla (author of TLS standard, CTO of Mozilla)
  • 2020-12-03: Initial contact with OpenSSL.
  • 2021-02-02: Initial contact with other TLS library maintainers.
  • 2021-02-20: Initial contact with all affected application servers (FTP, Email).
  • 2021-03-25: Initial contact with nginx and Apache.
  • 2021-06-09: Public disclosure.

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s