Summary
Stateless TLS session resumption allows servers to send an encrypted session ticket to clients so they can resume the session at a later time with the original server that can decrypt the ticket. Under certain multi-threading circumstances, an issue in s2n-tls may cause an individual session ticket to be encrypted in such a way that it could be decrypted by an entity other than the original server. This issue may manifest if the server is sharing an s2n_config struct between different threads that are concurrently performing TLS handshakes.
Impact
No AWS service was affected by this issue. Customers who use s2n-tls directly may have an impact depending on the TLS version being used in the session:
-
TLS1.2: An adversary who is able to observe traffic between the client and the intended server could use the faulty session ticket to decrypt the traffic offline. This risk is not present with a TLS1.3 session.
-
TLS1.3: An adversary who is able to impersonate the intended server could implement a man in the middle attack to force a client to resume future sessions with the adversary. While previously recorded sessions could not be decrypted, future sessions with the adversary could be.
s2n-tls customers should update to the most recent s2n-tls version.
Impacted versions: All versions >= v0.9.0 and < v1.4.18
Patches
The patch is included in v1.4.18 [2].
References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
[2] https://github.com/aws/s2n-tls/releases/tag/v1.4.18
Summary
Stateless TLS session resumption allows servers to send an encrypted session ticket to clients so they can resume the session at a later time with the original server that can decrypt the ticket. Under certain multi-threading circumstances, an issue in s2n-tls may cause an individual session ticket to be encrypted in such a way that it could be decrypted by an entity other than the original server. This issue may manifest if the server is sharing an s2n_config struct between different threads that are concurrently performing TLS handshakes.
Impact
No AWS service was affected by this issue. Customers who use s2n-tls directly may have an impact depending on the TLS version being used in the session:
TLS1.2: An adversary who is able to observe traffic between the client and the intended server could use the faulty session ticket to decrypt the traffic offline. This risk is not present with a TLS1.3 session.
TLS1.3: An adversary who is able to impersonate the intended server could implement a man in the middle attack to force a client to resume future sessions with the adversary. While previously recorded sessions could not be decrypted, future sessions with the adversary could be.
s2n-tls customers should update to the most recent s2n-tls version.
Impacted versions: All versions >= v0.9.0 and < v1.4.18
Patches
The patch is included in v1.4.18 [2].
References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
[2] https://github.com/aws/s2n-tls/releases/tag/v1.4.18