[NEWS] Denial of Service in ASN.1 Parsing

From: SecuriTeam (support_at_securiteam.com)
Date: 11/05/03

  • Next message: SecuriTeam: "[EXPL] NIPrint LPD-LPR Print Server (Cross Platform Exploit)" 
    To: list@securiteam.com
Date: 5 Nov 2003 17:28:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Denial of Service in ASN.1 Parsing
    ------------------------------------------------------------------------

    SUMMARY

    Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to
    address various ASN.1 issues. The issues were found using a test suite
    from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson
    (steve@openssl.org) of the OpenSSL core team.

    Subsequent to that release, Novell Inc. carried out further testing using
    the NISCC suite. They discovered that there was a denial of service
    vulnerability in OpenSSL version 0.9.6k when running on a Windows
    platform.

    A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger a
    large recursion. On platforms such as Windows, this large recursion
    cannot be handled correctly and so the bug causes OpenSSL to crash. A
    remote attacker could exploit this flaw if they can send arbitrary ASN.1
    sequences that would cause OpenSSL to crash. This could be performed for
    example by sending a client certificate to a SSL/TLS enabled server that
    is configured to accept them.

    OpenSSL do not believe this issue could be exploited further than a Denial
    of Service attack.

    Patches for this issue have been created by Dr Stephen Henson
    (steve@openssl.org) of the OpenSSL core team.

    DETAILS

    Vulnerable systems:
    OpenSSL 0.9.6k is affected by the bug, but the denial of service does not
    affect all platforms. This issue does not affect OpenSSL 0.9.7. Currently
    only OpenSSL running on Windows platforms are known to crash.

    Recommendations:
    Upgrade to OpenSSL 0.9.6l or 0.9.7c. Recompile any OpenSSL applications
    statically linked to OpenSSL libraries.

    OpenSSL 0.9.6l is available for download via HTTP and FTP from the
    following master locations (you can find the various FTP mirrors under
    <http://www.openssl.org/source/mirror.html>
    http://www.openssl.org/source/mirror.html):
     o http://www.openssl.org/source/
     o ftp://ftp.openssl.org/source/

    The distribution file name is:
     o openssl-0.9.6l.tar.gz [normal]
    MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27
     o openssl-engine-0.9.6l.tar.gz [engine]
    MD5 checksum: dd372198cdf31667f2cb29cd76fbda1c

    The checksums were calculated using the following command:
        openssl md5 < openssl-0.9.6l.tar.gz
        openssl md5 < openssl-engine-0.9.6l.tar.gz

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mark@openssl.org> Mark J Cox
    of OpenSSL.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] NIPrint LPD-LPR Print Server (Cross Platform Exploit)"

    Relevant Pages