[Dshield] OpenSSL Vulnerability

Doug White doug at clickdoug.com
Wed Oct 1 16:58:06 GMT 2003


Just installed the patches on all my RedHat boxes.

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Ben Robson" <ben at robson.ph>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, October 01, 2003 8:00 AM
Subject: [Dshield] OpenSSL Vulnerability


| All,
|
| I haven't seen anyone post anything about the current OpenSSL & SSLeay
| issues to this list yet.  (Odd really?!?!?!?!?!?)  Anyway, here's
| another one of those alert thingys I do for work.  (by the way, I
| archive these at www.robson.ph)
|
| BenR.
|
| Purpose:              Security Officer Alert
| Subject:              Multiple Vulnerabilities in SSL Libraries
| Threat Level:         High
| Date:                 1st October 2003
| Systems Affected:     All systems using OpenSSL, SSLeay
|
|
| Summary:
| ============
|
|        Multiple vulnerabilities have been found to exist within the
| OpenSSL and SSLeay encryption algorithm libraries.  OpenSSL and SSLeay
| are the most widely used cryptographic library sets on the Internet.
| These libraries are used in such applications as OpenSSH, SSH,
| mod_ssl(apache), other https servers, and many other applications
| requiring cryptographic extensions.
|
|        The OpenSSL team has notified the IT community to 4
| vulnerabilities.  These vulnerabilities relate to the handling of
| erroneous(invalid) digital certificates that can lead to a denial of
| service (confirmed) and possibly the execution of arbitrary code
| (un-confirmed) on the system.
|
|        As yet no exploits have been identified for this issue, however
| given the pervasiveness of the SSL libraries and the return on
| investment to hackers to develop and exploit it, it is likely one will
| be created very shortly.
|
|
| Who is affected:
| =================
|
|         The OpenSSL team has notified the IT community that all versions
| up to and including 0.9.6j and 0.9.7b are vulnerable to these issues.
| All users of applications that use the OpenSSL or SSLeay libraries are
| affected by these issues.
|
|        Users may not immediately identify their systems as using these
| libraries, however if the user is running any application with any form
| of cryptographic function then the user is very possibly suceptible.
| This includes most WWW server systems, and encrypted communication
| methods.
|
|        The following vendors have released security advisories relating
| to the SSL libraries (at the time of posting this report).  Others will
| likely follow very shortly.:
|
|        - Redhat Linux 7.1 (i386, iSeries, pSeries)
|                            7.2 (i386, i586, ia64)
|                            7.3 (i386, i686)
|                            8.0 (i386, i686)
|                            9.0 (i386, i686)
|        - Immunix 7+
|        - SGI
|        - EnGarde Secure Community v1.0.1
|                      Secure Community 2
|                      Secure Professional v1.1
|                      Secure Professional v1.2
|                      Secure Professional v1.5
|        - Connectiva 7.0, 8, 9
|        - Cisco IOS 12.1(11)E, 12.1E and later
|                   PIX Firewalls
|                   Firewall Service Module for 6500 & 7600 Series
|                   Network Analysis Modules for 6000, 6500 & 7600 Series
|                   Content Service Switch 11000 Series
|                   Global Site Selector 4480
|                   Application & Content Network Software
|                   SN 5428 Storage Router
|                   CiscoWorks 1105 Hosting Solution Engine
|                   CiscoWorks 1105 Wireless LAN Solution Engine
|                   CiscoWorks Common Services
|                   SIP Proxy Server
|
|
| Actions:
| ==========
|
|         Mitigation & Resolution:
|         ------------------------
|
|         Administrators of vulnerable systems are advised to upgrade
| their versions of OpenSSL to version 0.9.6k or 0.9.7c.  Any application
| that uses these libararies in a statically linked manner should also
| recompile these applications once the SSL libraries have been upgraded.
|
|
| Comments:
| =========
|
|         The SSL libraries are one of the most pervasive library sets
| active on Internet connected systems.  A large proportion of Internet
| connected servers will have the OpenSSL or SSLeay libraries installed by
| default as part of any cryptographic communication functions.
|
|         Should it be found that the vulnerabilities do allow the
| excution of arbitrary code on victim systems there is significant scope
| for a new worm to be created based on this vulnerability.
|
|
| Details:
| =========
|
|         The following information is the advisory published by the
| OpenSSL team to the Full-Disclosure, Bugtraq and OpenSSL mail lists.
|
|
| -----BEGIN PGP SIGNED MESSAGE-----
|
| OpenSSL Security Advisory [30 September 2003]
|
| Vulnerabilities in ASN.1 parsing
| ================================
|
| NISCC (www.niscc.gov.uk) prepared a test suite to check the operation
| of SSL/TLS software when presented with a wide range of malformed client
| certificates.
|
| Dr Stephen Henson (steve at openssl.org) of the OpenSSL core team
| identified and prepared fixes for a number of vulnerabilities in the
| OpenSSL ASN1 code when running the test suite.
|
| A bug in OpenSSLs SSL/TLS protocol was also identified which causes
| OpenSSL to parse a client certificate from an SSL/TLS client when it
| should reject it as a protocol error.
|
| Vulnerabilities
| - ---------------
|
| 1. Certain ASN.1 encodings that are rejected as invalid by the parser
| can trigger a bug in the deallocation of the corresponding data
| structure, corrupting the stack. This can be used as a denial of service
| attack. It is currently unknown whether this can be exploited to run
| malicious code. This issue does not affect OpenSSL 0.9.6.
|
| 2. Unusual ASN.1 tag values can cause an out of bounds read under
| certain circumstances, resulting in a denial of service vulnerability.
|
| 3. A malformed public key in a certificate will crash the verify code if
| it is set to ignore public key decoding errors. Public key decode errors
| are not normally ignored, except for debugging purposes, so this is
| unlikely to affect production code. Exploitation of an affected
| application would result in a denial of service vulnerability.
|
| 4. Due to an error in the SSL/TLS protocol handling, a server will parse
| a client certificate when one is not specifically requested. This by
| itself is not strictly speaking a vulnerability but it does mean that
| *all* SSL/TLS servers that use OpenSSL can be attacked using
| vulnerabilities 1, 2 and 3 even if they don't enable client
| authentication.
|
| Who is affected?
| - ----------------
|
| All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
| versions of SSLeay are affected.
|
| Any application that makes use of OpenSSL's ASN1 library to parse
| untrusted data. This includes all SSL or TLS applications, those using
| S/MIME (PKCS#7) or certificate generation routines.
|
| Recommendations
| - ---------------
|
| Upgrade to OpenSSL 0.9.7c or 0.9.6k. Recompile any OpenSSL applications
| statically linked to OpenSSL libraries.
|
| References
| - ----------
|
| The Common Vulnerabilities and Exposures project (cve.mitre.org) has
| assigned the name CAN-2003-0545 for issue 1:
|
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
|
| and CAN-2003-0543 and CAN-2003-0544 for issue 2:
|
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
|
| URL for this Security Advisory:
| http://www.openssl.org/news/secadv_20030930.txt
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.2.1 (GNU/Linux)
|
| iQCVAwUBP3mNKu6tTP1JpWPZAQFjPwP/Y8epYBa9oCK69dCT5Y90kg9Ir8pYuv+q
| x4NxuyhD5JaJfmStwbl3BUSE5juI0mh7d6yFjfI0Ci3sdC+5v10ZOanGwX7o4JlS
| 3pGSSocAEiYS59qciRLtFsCbBt8jIOCG8KiTmKO2mI5dhAEB9UqPH9e8A1Wy/8un
| xjGKYbcITrM=
| =fFTe
| -----END PGP SIGNATURE-----
|
|
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|




More information about the list mailing list