<div dir="ltr"><br><div class="gmail_quote">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
=============================================================================<br>
FreeBSD-SA-23:03.openssl Security Advisory<br>
The FreeBSD Project<br>
<br>
Topic: Multiple vulnerabilities in OpenSSL<br>
<br>
Category: contrib<br>
Module: openssl<br>
Announced: 2023-02-16<br>
Credits: See referenced OpenSSL advisory.<br>
Affects: All supported versions of FreeBSD.<br>
Corrected: 2023-02-07 22:38:40 UTC (stable/13, 13.1-STABLE)<br>
2023-02-16 17:58:13 UTC (releng/13.1, 13.1-RELEASE-p7)<br>
2023-02-07 23:09:41 UTC (stable/12, 12.4-STABLE)<br>
2023-02-16 18:04:12 UTC (releng/12.4, 12.4-RELEASE-p2)<br>
2023-02-16 18:03:37 UTC (releng/12.3, 12.3-RELEASE-p12)<br>
CVE Name: CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304<br>
<br>
For general information regarding FreeBSD Security Advisories,<br>
including descriptions of the fields above, security branches, and the<br>
following sections, please visit <URL:<a href="https://security.FreeBSD.org/" rel="noreferrer" target="_blank">https://security.FreeBSD.org/</a>>.<br>
<br>
I. Background<br>
<br>
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a<br>
collaborative effort to develop a robust, commercial-grade, full-featured<br>
Open Source toolkit for the Transport Layer Security (TLS) protocol. It is<br>
also a general-purpose cryptography library.<br>
<br>
II. Problem Description<br>
<br>
* X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)<br>
<br>
There is a type confusion vulnerability relating to X.400 address processing<br>
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but<br>
the public structure definition for GENERAL_NAME incorrectly specified the type<br>
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by<br>
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an<br>
ASN1_STRING.<br>
<br>
* Timing Oracle in RSA Decryption (CVE-2022-4304)<br>
<br>
A timing based side channel exists in the OpenSSL RSA Decryption<br>
implementation.<br>
<br>
* Use-after-free following BIO_new_NDEF (CVE-2023-0215)<br>
<br>
The public API function BIO_new_NDEF is a helper function used for streaming<br>
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support<br>
the SMIME, CMS and PKCS7 streaming capabilities, but may also be called<br>
directly by end user applications.<br>
<br>
The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter<br>
BIO onto the front of it to form a BIO chain, and then returns the new head<br>
of the BIO chain to the caller. Under certain conditions, for example if a<br>
CMS recipient public key is invalid, the new filter BIO is freed and the<br>
function returns a NULL result indicating a failure. However, in this case,<br>
the BIO chain is not properly cleaned up and the BIO passed by the caller<br>
still retains internal pointers to the previously freed filter BIO.<br>
<br>
* Double free after calling PEM_read_bio_ex (CVE-2022-4450)<br>
<br>
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and<br>
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload<br>
data. If the function succeeds then the "name_out", "header" and "data"<br>
arguments are populated with pointers to buffers containing the relevant<br>
decoded data. The caller is responsible for freeing those buffers. It is<br>
possible to construct a PEM file that results in 0 bytes of payload data. In<br>
this case PEM_read_bio_ex() will return a failure code but will populate the<br>
header argument with a pointer to a buffer that has already been freed.<br>
<br>
III. Impact<br>
<br>
* X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)<br>
<br>
When CRL checking is enabled (i.e. the application sets the<br>
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass<br>
arbitrary pointers to a memcmp call, enabling them to read memory contents or<br>
enact a denial of service. In most cases, the attack requires the attacker to<br>
provide both the certificate chain and CRL, neither of which need to have a<br>
valid signature. If the attacker only controls one of these inputs, the other<br>
input must already contain an X.400 address as a CRL distribution point, which<br>
is uncommon. As such, this vulnerability is most likely to only affect<br>
applications which have implemented their own functionality for retrieving CRLs<br>
over a network.<br>
<br>
* Timing Oracle in RSA Decryption (CVE-2022-4304)<br>
<br>
A timing based side channel exists in the OpenSSL RSA Decryption implementation<br>
which could be sufficient to recover a plaintext across a network in a<br>
Bleichenbacher style attack. To achieve a successful decryption an attacker<br>
would have to be able to send a very large number of trial messages for<br>
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,<br>
RSA-OEAP and RSASVE.<br>
<br>
* Use-after-free following BIO_new_NDEF (CVE-2023-0215)<br>
<br>
A use-after-free will occur under certain conditions. This will most likely<br>
result in a crash.<br>
<br>
* Double free after calling PEM_read_bio_ex (CVE-2022-4450)<br>
<br>
A double free may occur. This will most likely lead to a crash. This could be<br>
exploited by an attacker who has the ability to supply malicious PEM files<br>
for parsing to achieve a denial of service attack.<br>
<br>
IV. Workaround<br>
<br>
No workaround is available.<br>
<br>
V. Solution<br>
<br>
Upgrade your vulnerable system to a supported FreeBSD stable or<br>
release / security branch (releng) dated after the correction date.<br>
<br>
Perform one of the following:<br>
<br>
1) To update your vulnerable system via a binary patch:<br>
<br>
Systems running a RELEASE version of FreeBSD on the amd64, i386, or<br>
(on FreeBSD 13 and later) arm64 platforms can be updated via the<br>
freebsd-update(8) utility:<br>
<br>
# freebsd-update fetch<br>
# freebsd-update install<br>
<br>
2) To update your vulnerable system via a source code patch:<br>
<br>
The following patches have been verified to apply to the applicable<br>
FreeBSD release branches.<br>
<br>
a) Download the relevant patch from the location below, and verify the<br>
detached PGP signature using your PGP utility.<br>
<br>
# fetch <a href="https://security.FreeBSD.org/patches/SA-23:03/openssl.patch" rel="noreferrer" target="_blank">https://security.FreeBSD.org/patches/SA-23:03/openssl.patch</a><br>
# fetch <a href="https://security.FreeBSD.org/patches/SA-23:03/openssl.patch.asc" rel="noreferrer" target="_blank">https://security.FreeBSD.org/patches/SA-23:03/openssl.patch.asc</a><br>
# gpg --verify openssl.patch.asc<br>
<br>
b) Apply the patch. Execute the following commands as root:<br>
<br>
# cd /usr/src<br>
# patch < /path/to/patch<br>
<br>
c) Recompile the operating system using buildworld and installworld as<br>
described in <URL:<a href="https://www.FreeBSD.org/handbook/makeworld.html" rel="noreferrer" target="_blank">https://www.FreeBSD.org/handbook/makeworld.html</a>>.<br>
<br>
Restart all daemons that use the library, or reboot the system.<br>
<br>
VI. Correction details<br>
<br>
This issue is corrected by the corresponding Git commit hash or Subversion<br>
revision number in the following stable and release branches:<br>
<br>
Branch/path Hash Revision<br>
- -------------------------------------------------------------------------<br>
stable/13/ 0904c29a0a11 stable/13-n254398<br>
releng/13.1/ e237b128e080 releng/13.1-n250181<br>
stable/12/ r372906<br>
releng/12.4/ r372939<br>
releng/12.3/ r372936<br>
- -------------------------------------------------------------------------<br>
<br>
For FreeBSD 13 and later:<br>
<br>
Run the following command to see which files were modified by a<br>
particular commit:<br>
<br>
# git show --stat <commit hash><br>
<br>
Or visit the following URL, replacing NNNNNN with the hash:<br>
<br>
<URL:<a href="https://cgit.freebsd.org/src/commit/?id=NNNNNN" rel="noreferrer" target="_blank">https://cgit.freebsd.org/src/commit/?id=NNNNNN</a>><br>
<br>
To determine the commit count in a working tree (for comparison against<br>
nNNNNNN in the table above), run:<br>
<br>
# git rev-list --count --first-parent HEAD<br>
<br>
For FreeBSD 12 and earlier:<br>
<br>
Run the following command to see which files were modified by a particular<br>
revision, replacing NNNNNN with the revision number:<br>
<br>
# svn diff -cNNNNNN --summarize svn://<a href="http://svn.freebsd.org/base" rel="noreferrer" target="_blank">svn.freebsd.org/base</a><br>
<br>
Or visit the following URL, replacing NNNNNN with the revision number:<br>
<br>
<URL:<a href="https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN" rel="noreferrer" target="_blank">https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN</a>><br>
<br>
VII. References<br>
<br>
<URL:<a href="https://www.openssl.org/news/secadv/20230207.txt" rel="noreferrer" target="_blank">https://www.openssl.org/news/secadv/20230207.txt</a>><br>
<URL:<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" rel="noreferrer" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286</a>><br>
<URL:<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" rel="noreferrer" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215</a>><br>
<URL:<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450" rel="noreferrer" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450</a>><br>
<URL:<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" rel="noreferrer" target="_blank">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304</a>><br>
<br>
For general information regarding FreeBSD Security Advisories,<br>
including descriptions of the fields above, security branches, and the<br>
following sections, please visit <URL:<a href="https://security.FreeBSD.org/" rel="noreferrer" target="_blank">https://security.FreeBSD.org/</a>>.<br>
<br>
The latest revision of this advisory is available at<br>
<URL:<a href="https://security.FreeBSD.org/advisories/FreeBSD-SA-23:03.openssl.asc" rel="noreferrer" target="_blank">https://security.FreeBSD.org/advisories/FreeBSD-SA-23:03.openssl.asc</a>><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmPucZwACgkQbljekB8A<br>
Gu9HjQ//Re9YWzj2N2OaIbEljpogMIUxDzltPdCk+v6SODdiMh2ZesKojEHv9u3G<br>
3pFkJxzvqPX1BID8S7arZHnHUTeDKGq+eJef+q6gVmSA7F92l9eAK9UhTgeV5CDT<br>
VzFijM225KzFWA6VeD5pUtnCxze+Cor1y/XHAFPU1Ld5O+Tiem+vpN3OQt/hRlxI<br>
3YC2zOKbpZiXX0vAiSsJw4r31yLqbY97Lmu3ccEAnKSNagkuFzuXyCSHroOPrIuB<br>
zvNmFK6Brv6hnG+yucqdGi2g21oIW2i/UhObohCcxnUXBIa6xAbVVoiEy+fmutXx<br>
T0JAOR75GqMuBUv4B4OT32cVkhZZJqWzSmeDed28cr5J3fWov+z7iePTezcFVMKj<br>
gY3G5Awm41Qg6zjVqxZdj5n56yFSUgD63ZN0MKBPy8VDgSOv9vQzVR12/XyGOQrv<br>
LnMtwtiI1qAoLiHXBLhrUOqrYw/WABHGNJVIVer4dzZCXw3VUqqxluqsUw0r5h9A<br>
J9Ox1zcTV3N6wTHeVwUsScwjANg5dfQ2xnDZHWsPwPJuyCCiDXx8X7D13ACkHYVS<br>
3MqvRC4+wZTNttp3jH1JINe0CE7Z/euLDtPUdM3/xD/+mtO9g9ADg+GHkF5Tief2<br>
i+AAWY/igHC1jQiXvmdFHf3IddxLoyhJAL5MiPxyTwAErR/8Xwc=<br>
=G1z4<br>
-----END PGP SIGNATURE-----</div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div>
</div></div>