uTLS Downgrade Vulnerability Allowing TLS Connection Downgrades and Fingerprinting

A vulnerability in uTLS versions prior to 1.7.0 allows active network adversaries to downgrade TLS 1.3 connections to lower versions, such as TLS 1.2. This issue arises because uTLS, which is designed for fingerprinting resistance, did not implement the necessary downgrade protection for TLS 1.3 when using a customized ClientHello specification. Exploitation involves modifying the ClientHello message to exclude the SupportedVersions extension, prompting the server to respond with a TLS 1.2 ServerHello that includes a downgrade canary. Since uTLS clients did not check this canary, they accepted the downgraded connection without awareness of the downgrade attack. This vulnerability could also be leveraged to fingerprint uTLS connections.

Impact

Exploitation of this vulnerability allows for downgrading TLS 1.3 connections to lower versions, such as TLS 1.2, without detection. This not only undermines the security of the TLS connection but also exposes uTLS connections to fingerprinting attacks.

Reproduction

To reproduce this vulnerability, initiate a TLS 1.3 connection using a uTLS client version prior to 1.7.0. Customize the ClientHello message to exclude the SupportedVersions extension, which will cause the server to respond with a TLS 1.2 ServerHello. The response will include a downgrade canary in the random field. Because uTLS does not check this canary, the client will accept the downgraded connection, thereby falling victim to the downgrade attack.

Remediation

Users can upgrade to uTLS version 1.7.0 or later, where this vulnerability has been fixed.