CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 10/02/03

  • Next message: CERT Advisory: "New CERT Coordination Center (CERT/CC) PGP Key"
    Date: Wed, 1 Oct 2003 19:29:35 -0400
    To: cert-advisory@cert.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS
    Implementations

       Original issue date: October 1, 2003
       Last revised: --
       Source: CERT/CC

       A complete revision history is at the end of this file.

    Systems Affected

         * OpenSSL versions prior to 0.9.7c and 0.9.6k
         * Multiple SSL/TLS implementations
         * SSLeay library

    Overview

       There are multiple vulnerabilities in different implementations of the
       Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
       protocols. These vulnerabilities occur primarily in Abstract Syntax
       Notation One (ASN.1) parsing code. The most serious vulnerabilities
       may allow a remote attacker to execute arbitrary code. The common
       impact is denial of service.

    I. Description

       SSL and TLS are used to provide authentication, encryption, and
       integrity services to higher-level network applications such as HTTP.
       Cryptographic elements used by the protocols, such as X.509
       certificates, are represented as ASN.1 objects. In order to encode and
       decode these objects, many SSL and TLS implementations (and
       cryptographic libraries) include ASN.1 parsers.

       OpenSSL is a widely-deployed open source implementation of the SSL and
       TLS protocols. OpenSSL also provides a general-purpose cryptographic
       library that includes an ASN.1 parser.

       The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
       has developed a test suite to analyze the way SSL and TLS
       implementations handle exceptional ASN.1 objects contained in client
       and server certificate messages. Although the test suite focuses on
       certificate messages, any untrusted ASN.1 element may be used as an
       attack vector. An advisory from OpenSSL describes as vulnerable "Any
       application that makes use of OpenSSL's ASN1 library to parse
       untrusted data. This includes all SSL or TLS applications, those using
       S/MIME (PKCS#7) or certificate generation routines."

       There are two certificate message attack vectors. An attacker can send
       crafted client certificate messages to a server, or attempt to cause a
       client to connect to a server under the attacker's control. When the
       client connects, the attacker can deliver a crafted server certificate
       message. Note that the standards for TLS (RFC 2246) and SSL 3.0 state
       that a client certificate message "...is only sent if the server
       requests a certificate." To reduce exposure to these types of attacks,
       an SSL/TLS server should ignore unsolicited client certificate
       messages (VU#732952).

       NISCC has published two advisories describing vulnerabilities in
       OpenSSL (006489/OpenSSL) and other SSL/TLS implementations
       (006489/TLS). The second advisory covers multiple vulnerabilities in
       many vendors' products. Further details, including vendor status
       information, are available in the following vulnerability notes.

        VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation
        A vulnerability in the way OpenSSL deallocates memory used to store
        ASN.1 structures could allow a remote attacker to execute arbitrary
        code with the privileges of the process using the OpenSSL library.
        (Other resources: NISCC/006490/OpenSSL/3, OpenSSL #1, CAN-2003-0545)

        VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1)
        An integer overflow vulnerability in the way OpenSSL handles ASN.1
        tags could allow a remote attacker to cause a denial of service.
        (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0543)

        VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2)
        A second integer overflow vulnerability in the way OpenSSL handles
        ASN.1 tags could allow a remote attacker to cause a denial of service.
        (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0544)

        VU#686224 - OpenSSL does not securely handle invalid public key when
        configured to ignore errors
        A vulnerability in the way OpenSSL handles invalid public keys in
        client certificate messages could allow a remote attacker to cause a
        denial of service. This vulnerability requires as a precondition that
        an application is configured to ignore public key decoding errors,
        which is not typically the case on production systems.
        (Other resources: NISCC/006490/OpenSSL/2, OpenSSL #3)

        VU#732952 - OpenSSL accepts unsolicited client certificate messages
        OpenSSL accepts unsolicited client certificate messages. This could
        allow an attacker to exploit underlying flaws in client certificate
        handling, such as the vulnerabilities listed above.
        (Other resources: OpenSSL #4)

        VU#104280 - Multiple vulnerabilities in SSL/TLS implementations
        Multiple vulnerabilities exist in different vendors' SSL/TLS
        implementations. The impacts of these vulnerabilities include remote
        execution of arbitrary code, denial of service, and disclosure of
        sensitive information. VU#104280 covers an undefined set of
        vulnerabilities that affect SSL/TLS implementations from many
        different vendors.
        (Other resources: NISCC/006490/TLS)

    II. Impact

       The impacts of these vulnerabilities vary. In almost all, a remote
       attacker could cause a denial of service. For at least one
       vulnerability in OpenSSL (VU#935264), a remote attacker may be able to
       execute arbitrary code. Please see Appendix A, the Systems Affected
       section of VU#104280, and the OpenSSL vulnerability notes for details.

    III. Solution

    Upgrade or apply a patch

       To resolve the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or
       OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed by
       your vendor. Recompile any applications that are statically linked to
       OpenSSL libraries.

       For solutions for the other SSL/TLS vulnerabilities covered by
       VU#104280, please see Appendix A and the Systems Affected section of
       VU#104280.

    Appendix A. Vendor Information

       This appendix contains information provided by vendors. When vendors
       report new information, this section is updated, and the changes are
       noted in the revision history. If a vendor is not listed below, we
       have not received their authenticated, direct statement. Further
       vendor information is available in the Systems Affected sections of
       the vulnerability notes listed above.

    AppGate Network Security AB

         The default configuration of AppGate is not vulnerable. However
         some extra functionality which administrators can enable manually
         may cause the system to become vulnerable. For more details check
         the AppGate support pages at http://www.appgate.com/support.

    Apple Computer Inc.

         Apple: Vulnerable. This is fixed in Mac OS X 10.2.8 which is
         available from http://www.apple.com/support/

    Clavister

         Clavister Firewall: Not vulnerable
         As of version 8.3, Clavister Firewall implements an optional HTTP/S
         server for purposes of user authentication. However, since this
         implementation does not support client certificates and has no
         ASN.1 parser code, there can be no ASN.1-related vulnerabilities as
         far as SSL is concerned.

         Earlier versions of Clavister Firewall do not implement any SSL
         services.

    Cray Inc.

         Cray Inc. supports OpenSSL through its Cray Open Software (COS)
         package. The OpenSSL version in COS 3.4 and earlier is vulnerable.
         Spr 726919 has been opened to address this.

    F5 Networks

         F5 products BIG-IP, 3-DNS, ISMan and Firepass are vulnerable. F5
         will have ready security patches for each of these products. Go to
         ask.f5.com for the appropriate security response instructions for
         your product.

    Hitachi

         Hitachi Web Server is NOT Vulnerable to this issue.

    IBM

         [AIX]
         The AIX Security Team is aware of the issues discussed in CERT
         Vulnerability Notes VU#255484, VU#380864, VU#686224, VU#935264 and
         VU#732952.

         OpenSSL is available for AIX via the AIX Toolbox for Linux. Please
         note that the Toolbox is made available "as-is" and is unwarranted.
         The Toolbox ships with OpenSSL 0.9.6g which is vulnerable to the
         issues referenced above. A patched version of OpenSSL will be
         provided shortly and this vendor statement will be updated at that
         time.

         Please note that OpenSSH, which is made available through the
         Expansion Pack is not vulnerable to these issues.

         [eServer]
         IBM eServer Platform Response
         For information related to this and other published CERT Advisories
         that may relate to the IBM eServer Platforms (xSeries, iSeries,
         pSeries, and zSeries) please go to
         https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/
         securityalerts?OpenDocument&pathID=

         In order to access this information you will require a Resource
         Link ID. To subscribe to Resource Link go to
         http://app-06.www.ibm.com/servers/resourcelink and follow the steps
         for registration.

         All questions should be refered to servsec@us.ibm.com.

    Ingrian Networks

         Ingrian Networks is aware of this vulnerablity and will issue a
         security advisory when our investigation is complete.

    Juniper Networks

         The OpenSSL code included in domestic versions of JUNOS Internet
         Software that runs on all M-series and T-series routers is
         susceptible to these vulnerabilities. The SSL library included in
         Releases 2.x and 3.x of SDX provisioning software for E-series
         routers is susceptible to these vulnerabilities.

         Solution Implementation
         Corrections for all the above vulnerabilities are included in all
         versions of JUNOS built on or after October 2, 2003. Customers
         should contact Juniper Networks Technical Assistance Center (JTAC)
         for instructions on obtaining and installing the corrected code.
         SDX software built on or after October 2, 2003, contain SSL
         libraries with corrected code. Contact JTAC for instructions on
         obtaining and installing the corrected code.

    MandrakeSoft

         The vulnerabilities referenced by VU#255484, VU#380864, and
         VU#935264 have been corrected by packages released in our
         MDKSA-2003:098 advisory.

    NEC Corporation

         Subject: VU#104280
         sent on October 1, 2003

         [Server Products]
         * EWS/UP 48 Series operating system
           - is NOT vulnerable.
           It doesn't include SSL/TLS implementation.

    Novell

         Novell is reviewing our application portfolio to identify products
         affected by the vulnerabilities reported by the NISCC. We have the
         patched OpenSSL code and are reviewing and testing it internally,
         and preparing patches for our products that are affected. We expect
         the first patches to become available via our Security Alerts web
         site (http://support.novell.com/security-alerts) during the week of
         6 Oct 2003. Customers are urged to monitor our web site for patches
         to versions of our products that they use and apply them
         expeditiously.

    OpenSSL

         Please see OpenSSL Security Advisory [30 September 2003].

    Openwall GNU/*/Linux

         Openwall GNU/*/Linux currently uses OpenSSL 0.9.6 branch and thus
         was affected by the ASN.1 parsing and client certificate handling
         vulnerabilities pertaining to those versions of OpenSSL. It was not
         affected by the potentially more serious incorrect memory
         deallocation vulnerability (VU#935264, CVE CAN-2003-0545) that is
         specific to OpenSSL 0.9.7.

         Owl-current as of 2003/10/01 has been updated to OpenSSL 0.9.6k,
         thus correcting the vulnerabilities.

    Red Hat

         Red Hat distributes OpenSSL 0.9.6 in various Red Hat Linux
         distributions and with the Stronghold secure web server. Updated
         packages which contain backported patches for these issues are
         available along with our advisories at the URL below. Users of the
         Red Hat Network can update their systems using the 'up2date' tool.

         Red Hat Enterprise Linux:
         http://rhn.redhat.com/errata/RHSA-2003-293.html

         Red Hat Linux 7.1, 7.2, 7.3, 8.0:
         http://rhn.redhat.com/errata/RHSA-2003-291.html

         Stronghold 4 cross-platform:
         http://rhn.redhat.com/errata/RHSA-2003-290.html

         Red Hat distributes OpenSSL 0.9.7 in Red Hat Linux 9. Updated
         packages which contain backported patches for these issues are
         available along with our advisory at the URL below. Users of the
         Red Hat Network can update their systems using the 'up2date' tool.

         Red Hat Linux 9:
         http://rhn.redhat.com/errata/RHSA-2003-292.html

    Riverstone Networks

         Riverstone Networks routers are not vulnerable.

    SCO

         We are aware of the issue and are diligently working on a fix.

    SGI

         SGI acknowledges receiving the vulnerabilities reported by CERT and
         NISCC. CAN-2003-0543 [VU#255484], CAN-2003-0544 [VU#380864] and
         CAN-2003-0545 [VU#935264] have been addressed by SGI Security
         Advisory 20030904-01-P:

         ftp://patches.sgi.com/support/free/security/advisories/20030904-01-
         P.asc

         No further information is available at this time.

         For the protection of all our customers, SGI does not disclose,
         discuss or confirm vulnerabilities until a full investigation has
         occurred and any necessary patch(es) or release streams are
         available for all vulnerable and supported SGI operating systems.
         Until SGI has more definitive information to provide, customers are
         encouraged to assume all security vulnerabilities as exploitable
         and take appropriate steps according to local site security
         policies and requirements. As further information becomes
         available, additional advisories will be issued via the normal SGI
         security information distribution methods including the wiretap
         mailing list on http://www.sgi.com/support/security/

    Stonesoft

         Stonesoft has published a security advisory that addresses the
         issues in vulnerability notes VU#255484 and VU#104280. The advisory
         is at http://www.stonesoft.com/document/art/3040.html

    Stunnel

         Stunnel requires the OpenSSL libraries for compilation (POSIX) or
         OpenSSL DLLs for runtime operation (Windows). While Stunnel itself
         is not vulnerable, it's dependence on OpenSSL means that your
         installation likely is vulnerable.

         If you compile from source, you need to install a non-vulnerable
         version of OpenSSL and recompile Stunnel.

         If you use the compiled Windows DLLs from stunnel.org, you should
         download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs
         are available at
         http://www.stunnel.org/download/stunnel/win32/openssl-0.9.7c/

         No new version of Stunnel source or executable will be made
         available, because the problems are inside OpenSSL -- Stunnel
         itself does not have the vulnerability.

    SuSE

         All SuSE products are affected. Update packages are being tested
         and will be published on Wednesday, October 1st.

    VanDyke

         None the VanDyke Software products are subject to these
         vulnerabilities due to the fact that OpenSSL is not used in any
         VanDyke products.

    Appendix B. References

         * CERT/CC Vulnerability Note VU#935264 -
           <http://www.kb.cert.org/vuls/id/935264>
         * CERT/CC Vulnerability Note VU#255484 -
           <http://www.kb.cert.org/vuls/id/255484>
         * CERT/CC Vulnerability Note VU#380864 -
           <http://www.kb.cert.org/vuls/id/380864>
         * CERT/CC Vulnerability Note VU#686224 -
           <http://www.kb.cert.org/vuls/id/686224>
         * CERT/CC Vulnerability Note VU#732952 -
           <http://www.kb.cert.org/vuls/id/732952>
         * CERT/CC Vulnerability Note VU#104280 -
           <http://www.kb.cert.org/vuls/id/104280>
         * OpenSSL Security Advisory [30 September 2003] -
           <http://www.openssl.org/news/secadv_20030930.txt>
         * NISCC Vulnerability Advisory 006489/OpenSSL -
           <http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm>
         * NISCC Vulnerability Advisory 006489/TLS -
           <http://www.uniras.gov.uk/vuls/2003/006489/tls.htm>
         * ITU ASN.1 documentation -
           <http://www.itu.int/ITU-T/studygroups/com10/languages/>

         _________________________________________________________________

       NISCC discovered and researched these vulnerabilities; this document
       is based on their work. We would like to thank Stephen Henson of the
       OpenSSL project and the Oulu University Secure Programming Group
       (OUSPG) for their previous work in this area.
         _________________________________________________________________

       Feedback can be directed to the author, Art Manion.
       ______________________________________________________________________

       This document is available from:
       http://www.cert.org/advisories/CA-2003-26.html
       ______________________________________________________________________

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890
              U.S.A.

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from

         http://www.cert.org/CERT_PGP.key

       If you prefer to use DES, please call the CERT hotline for more
       information.

    Getting security information

       CERT publications and other security information are available from
       our web site

         http://www.cert.org/

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your
       message

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.
       ______________________________________________________________________

       NO WARRANTY
       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.
       ______________________________________________________________________

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

       Revision History

       October 1, 2003: Initial release

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQCVAwUBP3thtTpmH2w9K/0VAQGzWAP9EpSwNUVNzSsGJjCLIX4jAKdGizhNEA/f
    ZED6pvYreSwcry5SLvBMsn9vfftOdcIM1T9iPmWNm5KxQ1EsnlkojkMHdfPON56o
    WpwwnLo89TxhNWgd7ThYbqXbIIPzfi0g6FM3lW4OVKEX/itscX83WPoUHp9OYBb9
    pFFrq38EPjE=
    =NRed
    -----END PGP SIGNATURE-----


  • Next message: CERT Advisory: "New CERT Coordination Center (CERT/CC) PGP Key"