CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations
From: CERT Advisory (cert-advisory_at_cert.org)
Date: Wed, 1 Oct 2003 19:29:35 -0400 To: email@example.com
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS
Original issue date: October 1, 2003
Last revised: --
A complete revision history is at the end of this file.
* OpenSSL versions prior to 0.9.7c and 0.9.6k
* Multiple SSL/TLS implementations
* SSLeay library
There are multiple vulnerabilities in different implementations of the
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
protocols. These vulnerabilities occur primarily in Abstract Syntax
Notation One (ASN.1) parsing code. The most serious vulnerabilities
may allow a remote attacker to execute arbitrary code. The common
impact is denial of service.
SSL and TLS are used to provide authentication, encryption, and
integrity services to higher-level network applications such as HTTP.
Cryptographic elements used by the protocols, such as X.509
certificates, are represented as ASN.1 objects. In order to encode and
decode these objects, many SSL and TLS implementations (and
cryptographic libraries) include ASN.1 parsers.
OpenSSL is a widely-deployed open source implementation of the SSL and
TLS protocols. OpenSSL also provides a general-purpose cryptographic
library that includes an ASN.1 parser.
The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
has developed a test suite to analyze the way SSL and TLS
implementations handle exceptional ASN.1 objects contained in client
and server certificate messages. Although the test suite focuses on
certificate messages, any untrusted ASN.1 element may be used as an
attack vector. An advisory from OpenSSL describes as vulnerable "Any
application that makes use of OpenSSL's ASN1 library to parse
untrusted data. This includes all SSL or TLS applications, those using
S/MIME (PKCS#7) or certificate generation routines."
There are two certificate message attack vectors. An attacker can send
crafted client certificate messages to a server, or attempt to cause a
client to connect to a server under the attacker's control. When the
client connects, the attacker can deliver a crafted server certificate
message. Note that the standards for TLS (RFC 2246) and SSL 3.0 state
that a client certificate message "...is only sent if the server
requests a certificate." To reduce exposure to these types of attacks,
an SSL/TLS server should ignore unsolicited client certificate
NISCC has published two advisories describing vulnerabilities in
OpenSSL (006489/OpenSSL) and other SSL/TLS implementations
(006489/TLS). The second advisory covers multiple vulnerabilities in
many vendors' products. Further details, including vendor status
information, are available in the following vulnerability notes.
VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation
A vulnerability in the way OpenSSL deallocates memory used to store
ASN.1 structures could allow a remote attacker to execute arbitrary
code with the privileges of the process using the OpenSSL library.
(Other resources: NISCC/006490/OpenSSL/3, OpenSSL #1, CAN-2003-0545)
VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1)
An integer overflow vulnerability in the way OpenSSL handles ASN.1
tags could allow a remote attacker to cause a denial of service.
(Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0543)
VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2)
A second integer overflow vulnerability in the way OpenSSL handles
ASN.1 tags could allow a remote attacker to cause a denial of service.
(Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0544)
VU#686224 - OpenSSL does not securely handle invalid public key when
configured to ignore errors
A vulnerability in the way OpenSSL handles invalid public keys in
client certificate messages could allow a remote attacker to cause a
denial of service. This vulnerability requires as a precondition that
an application is configured to ignore public key decoding errors,
which is not typically the case on production systems.
(Other resources: NISCC/006490/OpenSSL/2, OpenSSL #3)
VU#732952 - OpenSSL accepts unsolicited client certificate messages
OpenSSL accepts unsolicited client certificate messages. This could
allow an attacker to exploit underlying flaws in client certificate
handling, such as the vulnerabilities listed above.
(Other resources: OpenSSL #4)
VU#104280 - Multiple vulnerabilities in SSL/TLS implementations
Multiple vulnerabilities exist in different vendors' SSL/TLS
implementations. The impacts of these vulnerabilities include remote
execution of arbitrary code, denial of service, and disclosure of
sensitive information. VU#104280 covers an undefined set of
vulnerabilities that affect SSL/TLS implementations from many
(Other resources: NISCC/006490/TLS)
The impacts of these vulnerabilities vary. In almost all, a remote
attacker could cause a denial of service. For at least one
vulnerability in OpenSSL (VU#935264), a remote attacker may be able to
execute arbitrary code. Please see Appendix A, the Systems Affected
section of VU#104280, and the OpenSSL vulnerability notes for details.
Upgrade or apply a patch
To resolve the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or
OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed by
your vendor. Recompile any applications that are statically linked to
For solutions for the other SSL/TLS vulnerabilities covered by
VU#104280, please see Appendix A and the Systems Affected section of
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated, and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their authenticated, direct statement. Further
vendor information is available in the Systems Affected sections of
the vulnerability notes listed above.
AppGate Network Security AB
The default configuration of AppGate is not vulnerable. However
some extra functionality which administrators can enable manually
may cause the system to become vulnerable. For more details check
the AppGate support pages at http://www.appgate.com/support.
Apple Computer Inc.
Apple: Vulnerable. This is fixed in Mac OS X 10.2.8 which is
available from http://www.apple.com/support/
Clavister Firewall: Not vulnerable
As of version 8.3, Clavister Firewall implements an optional HTTP/S
server for purposes of user authentication. However, since this
implementation does not support client certificates and has no
ASN.1 parser code, there can be no ASN.1-related vulnerabilities as
far as SSL is concerned.
Earlier versions of Clavister Firewall do not implement any SSL
Cray Inc. supports OpenSSL through its Cray Open Software (COS)
package. The OpenSSL version in COS 3.4 and earlier is vulnerable.
Spr 726919 has been opened to address this.
F5 products BIG-IP, 3-DNS, ISMan and Firepass are vulnerable. F5
will have ready security patches for each of these products. Go to
ask.f5.com for the appropriate security response instructions for
Hitachi Web Server is NOT Vulnerable to this issue.
The AIX Security Team is aware of the issues discussed in CERT
Vulnerability Notes VU#255484, VU#380864, VU#686224, VU#935264 and
OpenSSL is available for AIX via the AIX Toolbox for Linux. Please
note that the Toolbox is made available "as-is" and is unwarranted.
The Toolbox ships with OpenSSL 0.9.6g which is vulnerable to the
issues referenced above. A patched version of OpenSSL will be
provided shortly and this vendor statement will be updated at that
Please note that OpenSSH, which is made available through the
Expansion Pack is not vulnerable to these issues.
IBM eServer Platform Response
For information related to this and other published CERT Advisories
that may relate to the IBM eServer Platforms (xSeries, iSeries,
pSeries, and zSeries) please go to
In order to access this information you will require a Resource
Link ID. To subscribe to Resource Link go to
http://app-06.www.ibm.com/servers/resourcelink and follow the steps
All questions should be refered to firstname.lastname@example.org.
Ingrian Networks is aware of this vulnerablity and will issue a
security advisory when our investigation is complete.
The OpenSSL code included in domestic versions of JUNOS Internet
Software that runs on all M-series and T-series routers is
susceptible to these vulnerabilities. The SSL library included in
Releases 2.x and 3.x of SDX provisioning software for E-series
routers is susceptible to these vulnerabilities.
Corrections for all the above vulnerabilities are included in all
versions of JUNOS built on or after October 2, 2003. Customers
should contact Juniper Networks Technical Assistance Center (JTAC)
for instructions on obtaining and installing the corrected code.
SDX software built on or after October 2, 2003, contain SSL
libraries with corrected code. Contact JTAC for instructions on
obtaining and installing the corrected code.
The vulnerabilities referenced by VU#255484, VU#380864, and
VU#935264 have been corrected by packages released in our
sent on October 1, 2003
* EWS/UP 48 Series operating system
- is NOT vulnerable.
It doesn't include SSL/TLS implementation.
Novell is reviewing our application portfolio to identify products
affected by the vulnerabilities reported by the NISCC. We have the
patched OpenSSL code and are reviewing and testing it internally,
and preparing patches for our products that are affected. We expect
the first patches to become available via our Security Alerts web
site (http://support.novell.com/security-alerts) during the week of
6 Oct 2003. Customers are urged to monitor our web site for patches
to versions of our products that they use and apply them
Please see OpenSSL Security Advisory [30 September 2003].
Openwall GNU/*/Linux currently uses OpenSSL 0.9.6 branch and thus
was affected by the ASN.1 parsing and client certificate handling
vulnerabilities pertaining to those versions of OpenSSL. It was not
affected by the potentially more serious incorrect memory
deallocation vulnerability (VU#935264, CVE CAN-2003-0545) that is
specific to OpenSSL 0.9.7.
Owl-current as of 2003/10/01 has been updated to OpenSSL 0.9.6k,
thus correcting the vulnerabilities.
Red Hat distributes OpenSSL 0.9.6 in various Red Hat Linux
distributions and with the Stronghold secure web server. Updated
packages which contain backported patches for these issues are
available along with our advisories at the URL below. Users of the
Red Hat Network can update their systems using the 'up2date' tool.
Red Hat Enterprise Linux:
Red Hat Linux 7.1, 7.2, 7.3, 8.0:
Stronghold 4 cross-platform:
Red Hat distributes OpenSSL 0.9.7 in Red Hat Linux 9. Updated
packages which contain backported patches for these issues are
available along with our advisory at the URL below. Users of the
Red Hat Network can update their systems using the 'up2date' tool.
Red Hat Linux 9:
Riverstone Networks routers are not vulnerable.
We are aware of the issue and are diligently working on a fix.
SGI acknowledges receiving the vulnerabilities reported by CERT and
NISCC. CAN-2003-0543 [VU#255484], CAN-2003-0544 [VU#380864] and
CAN-2003-0545 [VU#935264] have been addressed by SGI Security
No further information is available at this time.
For the protection of all our customers, SGI does not disclose,
discuss or confirm vulnerabilities until a full investigation has
occurred and any necessary patch(es) or release streams are
available for all vulnerable and supported SGI operating systems.
Until SGI has more definitive information to provide, customers are
encouraged to assume all security vulnerabilities as exploitable
and take appropriate steps according to local site security
policies and requirements. As further information becomes
available, additional advisories will be issued via the normal SGI
security information distribution methods including the wiretap
mailing list on http://www.sgi.com/support/security/
Stonesoft has published a security advisory that addresses the
issues in vulnerability notes VU#255484 and VU#104280. The advisory
is at http://www.stonesoft.com/document/art/3040.html
Stunnel requires the OpenSSL libraries for compilation (POSIX) or
OpenSSL DLLs for runtime operation (Windows). While Stunnel itself
is not vulnerable, it's dependence on OpenSSL means that your
installation likely is vulnerable.
If you compile from source, you need to install a non-vulnerable
version of OpenSSL and recompile Stunnel.
If you use the compiled Windows DLLs from stunnel.org, you should
download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs
are available at
No new version of Stunnel source or executable will be made
available, because the problems are inside OpenSSL -- Stunnel
itself does not have the vulnerability.
All SuSE products are affected. Update packages are being tested
and will be published on Wednesday, October 1st.
None the VanDyke Software products are subject to these
vulnerabilities due to the fact that OpenSSL is not used in any
Appendix B. References
* CERT/CC Vulnerability Note VU#935264 -
* CERT/CC Vulnerability Note VU#255484 -
* CERT/CC Vulnerability Note VU#380864 -
* CERT/CC Vulnerability Note VU#686224 -
* CERT/CC Vulnerability Note VU#732952 -
* CERT/CC Vulnerability Note VU#104280 -
* OpenSSL Security Advisory [30 September 2003] -
* NISCC Vulnerability Advisory 006489/OpenSSL -
* NISCC Vulnerability Advisory 006489/TLS -
* ITU ASN.1 documentation -
NISCC discovered and researched these vulnerabilities; this document
is based on their work. We would like to thank Stephen Henson of the
OpenSSL project and the Oulu University Secure Programming Group
(OUSPG) for their previous work in this area.
Feedback can be directed to the author, Art Manion.
This document is available from:
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
Getting security information
CERT publications and other security information are available from
our web site
To subscribe to the CERT mailing list for advisories and bulletins,
send email to email@example.com. Please include in the body of your
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
October 1, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----