[fw-wiz] TLS/SSL revisited slightly...
From: Paul Robertson (proberts@patriot.net)
Date: 07/30/02
- Next message: Eric Rescorla: "Re: [fw-wiz] TLS/SSL revisited slightly..."
- Previous message: Paul D. Robertson: "[fw-wiz] Administrivia and "Which Firewall" stuff"
- Next in thread: Eric Rescorla: "Re: [fw-wiz] TLS/SSL revisited slightly..."
- Maybe reply: Eric Rescorla: "Re: [fw-wiz] TLS/SSL revisited slightly..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Robertson <proberts@patriot.net> To: firewall-wizards@honor.icsalabs.com Date: Tue Jul 30 11:43:01 2002
Rather than reposting the Openssl-announce alert, I'll just
excerpt and summarize briefly- several remotely exploitable bugs have been
discovered in OpenSSL:
>All four of these are potentially remotely exploitable.
>
>1. The client master key in SSL2 could be oversized and overrun a
> buffer. This vulnerability was also independently discovered by
> consultants at Neohapsis (http://www.neohapsis.com/) who have also
> demonstrated that the vulerability is exploitable. Exploit code is
> NOT available at this time.
>
>2. The session ID supplied to a client in SSL3 could be oversized and
> overrun a buffer.
>
>3. The master key supplied to an SSL3 server could be oversized and
> overrun a stack-based buffer. This issues only affects OpenSSL
> 0.9.7 before 0.9.7-beta3 with Kerberos enabled.
>
>4. Various buffers for ASCII representations of integers were too
> small on 64 bit platforms.
Obviously, TLS systems are potentially more at risk than HTTPS since TLS
acts like a client (bugs #1 and #2 for sure, #3 if Kerberos support is on.)
I expect that #4 will probably cause more issues with Apache on Solaris
than anything else assuming that it isn't a client-side only issue as
well. Once again, this underscores the point that adding large ammounts
of code (and additional protocols) can increase exposure to exploitable
bugs.
Patches are available on www.openssl.org.
I sense a lot of browser updating in my immediate future...
Thanks,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Eric Rescorla: "Re: [fw-wiz] TLS/SSL revisited slightly..."
- Previous message: Paul D. Robertson: "[fw-wiz] Administrivia and "Which Firewall" stuff"
- Next in thread: Eric Rescorla: "Re: [fw-wiz] TLS/SSL revisited slightly..."
- Maybe reply: Eric Rescorla: "Re: [fw-wiz] TLS/SSL revisited slightly..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
