[Dshield] OpenSSL Vulnerability
doug at clickdoug.com
Wed Oct 1 16:58:06 GMT 2003
Just installed the patches on all my RedHat boxes.
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!
----- Original Message -----
From: "Ben Robson" <ben at robson.ph>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Wednesday, October 01, 2003 8:00 AM
Subject: [Dshield] OpenSSL Vulnerability
| I haven't seen anyone post anything about the current OpenSSL & SSLeay
| issues to this list yet. (Odd really?!?!?!?!?!?) Anyway, here's
| another one of those alert thingys I do for work. (by the way, I
| archive these at www.robson.ph)
| Purpose: Security Officer Alert
| Subject: Multiple Vulnerabilities in SSL Libraries
| Threat Level: High
| Date: 1st October 2003
| Systems Affected: All systems using OpenSSL, SSLeay
| Multiple vulnerabilities have been found to exist within the
| OpenSSL and SSLeay encryption algorithm libraries. OpenSSL and SSLeay
| are the most widely used cryptographic library sets on the Internet.
| These libraries are used in such applications as OpenSSH, SSH,
| mod_ssl(apache), other https servers, and many other applications
| requiring cryptographic extensions.
| The OpenSSL team has notified the IT community to 4
| vulnerabilities. These vulnerabilities relate to the handling of
| erroneous(invalid) digital certificates that can lead to a denial of
| service (confirmed) and possibly the execution of arbitrary code
| (un-confirmed) on the system.
| As yet no exploits have been identified for this issue, however
| given the pervasiveness of the SSL libraries and the return on
| investment to hackers to develop and exploit it, it is likely one will
| be created very shortly.
| Who is affected:
| The OpenSSL team has notified the IT community that all versions
| up to and including 0.9.6j and 0.9.7b are vulnerable to these issues.
| All users of applications that use the OpenSSL or SSLeay libraries are
| affected by these issues.
| Users may not immediately identify their systems as using these
| libraries, however if the user is running any application with any form
| of cryptographic function then the user is very possibly suceptible.
| This includes most WWW server systems, and encrypted communication
| The following vendors have released security advisories relating
| to the SSL libraries (at the time of posting this report). Others will
| likely follow very shortly.:
| - Redhat Linux 7.1 (i386, iSeries, pSeries)
| 7.2 (i386, i586, ia64)
| 7.3 (i386, i686)
| 8.0 (i386, i686)
| 9.0 (i386, i686)
| - Immunix 7+
| - SGI
| - EnGarde Secure Community v1.0.1
| Secure Community 2
| Secure Professional v1.1
| Secure Professional v1.2
| Secure Professional v1.5
| - Connectiva 7.0, 8, 9
| - Cisco IOS 12.1(11)E, 12.1E and later
| PIX Firewalls
| Firewall Service Module for 6500 & 7600 Series
| Network Analysis Modules for 6000, 6500 & 7600 Series
| Content Service Switch 11000 Series
| Global Site Selector 4480
| Application & Content Network Software
| SN 5428 Storage Router
| CiscoWorks 1105 Hosting Solution Engine
| CiscoWorks 1105 Wireless LAN Solution Engine
| CiscoWorks Common Services
| SIP Proxy Server
| Mitigation & Resolution:
| Administrators of vulnerable systems are advised to upgrade
| their versions of OpenSSL to version 0.9.6k or 0.9.7c. Any application
| that uses these libararies in a statically linked manner should also
| recompile these applications once the SSL libraries have been upgraded.
| The SSL libraries are one of the most pervasive library sets
| active on Internet connected systems. A large proportion of Internet
| connected servers will have the OpenSSL or SSLeay libraries installed by
| default as part of any cryptographic communication functions.
| Should it be found that the vulnerabilities do allow the
| excution of arbitrary code on victim systems there is significant scope
| for a new worm to be created based on this vulnerability.
| The following information is the advisory published by the
| OpenSSL team to the Full-Disclosure, Bugtraq and OpenSSL mail lists.
| -----BEGIN PGP SIGNED MESSAGE-----
| OpenSSL Security Advisory [30 September 2003]
| Vulnerabilities in ASN.1 parsing
| NISCC (www.niscc.gov.uk) prepared a test suite to check the operation
| of SSL/TLS software when presented with a wide range of malformed client
| Dr Stephen Henson (steve at openssl.org) of the OpenSSL core team
| identified and prepared fixes for a number of vulnerabilities in the
| OpenSSL ASN1 code when running the test suite.
| A bug in OpenSSLs SSL/TLS protocol was also identified which causes
| OpenSSL to parse a client certificate from an SSL/TLS client when it
| should reject it as a protocol error.
| - ---------------
| 1. Certain ASN.1 encodings that are rejected as invalid by the parser
| can trigger a bug in the deallocation of the corresponding data
| structure, corrupting the stack. This can be used as a denial of service
| attack. It is currently unknown whether this can be exploited to run
| malicious code. This issue does not affect OpenSSL 0.9.6.
| 2. Unusual ASN.1 tag values can cause an out of bounds read under
| certain circumstances, resulting in a denial of service vulnerability.
| 3. A malformed public key in a certificate will crash the verify code if
| it is set to ignore public key decoding errors. Public key decode errors
| are not normally ignored, except for debugging purposes, so this is
| unlikely to affect production code. Exploitation of an affected
| application would result in a denial of service vulnerability.
| 4. Due to an error in the SSL/TLS protocol handling, a server will parse
| a client certificate when one is not specifically requested. This by
| itself is not strictly speaking a vulnerability but it does mean that
| *all* SSL/TLS servers that use OpenSSL can be attacked using
| vulnerabilities 1, 2 and 3 even if they don't enable client
| Who is affected?
| - ----------------
| All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
| versions of SSLeay are affected.
| Any application that makes use of OpenSSL's ASN1 library to parse
| untrusted data. This includes all SSL or TLS applications, those using
| S/MIME (PKCS#7) or certificate generation routines.
| - ---------------
| Upgrade to OpenSSL 0.9.7c or 0.9.6k. Recompile any OpenSSL applications
| statically linked to OpenSSL libraries.
| - ----------
| The Common Vulnerabilities and Exposures project (cve.mitre.org) has
| assigned the name CAN-2003-0545 for issue 1:
| and CAN-2003-0543 and CAN-2003-0544 for issue 2:
| URL for this Security Advisory:
| -----BEGIN PGP SIGNATURE-----
| Version: GnuPG v1.2.1 (GNU/Linux)
| -----END PGP SIGNATURE-----
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
More information about the list