[SECURITY-L] CAIS-Alerta: Multiple Vulnerabilities in OpenSSL (TA04-078A)
CSIRT - UNICAMP
security em unicamp.br
Sex Mar 19 15:08:16 -03 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Multiple Vulnerabilities in OpenSSL (TA04-078A)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Fri, 19 Mar 2004 10:37:46 -0300 (BRST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
Complementando as informacoes enviadas pelo CAIS, relacionadas com as
ultimas vulnerabilidades do OpenSSL, OpenSSL Project, "Null-pointer
assignment during SSL handshake" e "Out-of-bounds read affects Kerberos
ciphersuites", o CAIS está repassando o alerta divulgado pelo US-CERT,
intitulado "Multiple Vulnerabilities in OpenSSL".
Adicionalmente ao alerta enviado ontem, existem informacoes sobre uma
terceira vulnerabilidade que e' solucionada com as correcoes sugeridas.
Versoes do OpenSSL anteriores a 0.9.6d possuem uma condicao que se
explorada resulta em um loop infinito causando negacao de servico na
aplicacao atacada.
Maiores Informacoes:
. OpenSSL Security Advisory
http://www.openssl.org/news/secadv_20040317.txt
. Multiple Vulnerabilities in OpenSSL
http://www.us-cert.gov/cas/techalerts/TA04-078A.html
. Duas vulnerabilidades no OpenSSL
http://www.rnp.br/cais/alertas/2004/openssl20040318.html
. http://www.uniras.gov.uk/vuls/2004/224012/index.htm
Identificadores do CVE (http://cve.mitre.org):
. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
O CAIS recomenda aos administradores manterem seus sistemas e aplicativos
sempre atualizados, de acordo com as ultimas versoes e correcoes
disponibilizadas pelos fabricantes.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
Technical Cyber Security Alert TA04-078A
Multiple Vulnerabilities in OpenSSL
Original release date: March 18, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Applications and systems that use the OpenSSL SSL/TLS library
Overview
Several vulnerabilities in the OpenSSL SSL/TLS library could allow an
unauthenticated, remote attacker to cause a denial of service.
I. Description
OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols and includes a general purpose cryptographic
library. SSL and TLS are commonly used to provide authentication,
encryption, integrity, and non-repudiation services to network
applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is
widely deployed across a variety of platforms and systems. In
particular, many routers and other types of networking equipment use
OpenSSL.
The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
and the OpenSSL Project have reported three vulnerabilities in the
OpenSSL SSL/TLS library (libssl). Any application or system that uses
this library may be affected.
VU#288574 - OpenSSL contains null-pointer assignment in
do_change_cipher_spec() function
Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to
0.9.7c inclusive contain a null-pointer assignment in the
do_change_cipher_spec() function. By performing a specially crafted
SSL/TLS handshake, an attacker could cause OpenSSL to crash, which
may result in a denial of service in the target application.
(Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079,
NISCC/224012/OpenSSL/1)
VU#484726 - OpenSSL does not adequately validate length of Kerberos
tickets during SSL/TLS handshake
Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately
validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS
handshake. OpenSSL is not configured to use Kerberos by default. By
performing a specially crafted SSL/TLS handshake with an OpenSSL
system configured to use Kerberos, an attacker could cause OpenSSL
to crash, which may result in a denial of service in the target
application. OpenSSL 0.9.6 is not affected.
(Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112,
NISCC/224012/OpenSSL/2)
VU#465542 - OpenSSL does not properly handle unknown message types
OpenSSL prior to version 0.9.6d does not properly handle unknown
SSL/TLS message types. An attacker could cause the application using
OpenSSL to enter an infinite loop, which may result in a denial of
service in the target application. OpenSSL 0.9.7 is not affected.
(Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3)
II. Impact
An unauthenticated, remote attacker could cause a denial of service in
any application or system that uses a vulnerable OpenSSL SSL/TLS
library.
III. Solution
Upgrade or Apply a patch from your vendor
Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a
patch as specified by your vendor. Note that it is necessary to
recompile any applications that are statically linked to the OpenSSL
SSL/TLS library.
Appendix A. Vendor Information
Multiple vendors are affected by different combinations of these
vulnerabilities. For updated information, please see the Systems
Affected sections of VU#288574, VU#484726, and VU#465542.
Appendix B. References
* US-CERT Technical Cyber Security Alert TA04-078A -
<http://www.us-cert.gov/cas/techalerts/TA04-078A.html>
* Vulnerability Note VU#288574 -
<http://www.kb.cert.org/vuls/id/288574>
* Vulnerability Note VU#484726 -
<http://www.kb.cert.org/vuls/id/484726>
* Vulnerability Note VU#465542 -
<http://www.kb.cert.org/vuls/id/465542>
* OpenSSL Security Advisory [17 March 2004] -
<http://www.openssl.org/news/secadv_20040317.txt>
* NISCC Vulnerability Advisory 224012 -
<http://www.uniras.gov.uk/vuls/2004/224012/index.htm>
* RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS) - <http://www.ietf.org/rfc/rfc2712.txt>
_________________________________________________________________
These vulnerabilities were researched and reported by the OpenSSL
Project and the U.K. National Infrastructure Security Co-ordination
Centre (NISCC).
_________________________________________________________________
Feedback can be directed to the authors: Art Manion and Damon Morda.
_________________________________________________________________
Copyright 2004 Carnegie Mellon University. Terms of use.
Revision History
March 18, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQFr3s+kli63F4U8VAQHiDAP+NEzureAe4Kzyszpd75+DVOAZ8l+fxVI9
udVlmIdiGzN8GaNYFdGdWg9Qres7oWTf32Ef1vl2PsuacWd7ilHNnJHxFFYvhgMJ
Flx+Ob4qcMWnEfgSNdtOhPrSL1zdRF5oG/CVl/ahW/QAXbbuTAV8f4Wk6XOKB+Bu
SA7ktDOPRpQ=
=r9db
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L