[NEWS] OpenSSL NULL Pointer Assignment and Kerberos Ciphersuites Out-of-bounds

From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/04

  • Next message: SecuriTeam: "[NEWS] GroupWise WebAccess File Disclosure (GWAPACHE.CONF)"
    To: list@securiteam.com
    Date: 17 Mar 2004 19:17:05 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      OpenSSL NULL Pointer Assignment and Kerberos Ciphersuites Out-of-bounds
    ------------------------------------------------------------------------

    SUMMARY

    Two security issues have been discovered in OpenSSL, one vulnerability
    affects the SSL Handshake stage of the protocol in which a NULL pointer
    can be passed causing an exception, the other vulnerability affects
    OpenSSL's support for Kerberos ciphersuites that can again be used to
    cause an exception.

    DETAILS

    NULL-pointer Assignment During SSL Handshake
    Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
    uncovered a null-pointer assignment in the do_change_cipher_spec()
    function. A remote attacker could perform a carefully crafted SSL/TLS
    handshake against a server that used the OpenSSL library in such a way as
    to cause OpenSSL to crash. Depending on the application this could lead to
    a denial of service.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079>
    CAN-2004-0079

    All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to
    0.9.7c inclusive are affected by this issue. Any application that makes
    use of OpenSSL's SSL/TLS library may be affected. Please contact your
    application vendor for details.

    Out-of-bounds Read Affects Kerberos Ciphersuites
    Stephen Henson discovered a flaw in SSL/TLS handshaking code when using
    Kerberos ciphersuites. A remote attacker could perform a carefully crafted
    SSL/TLS handshake against a server configured to use Kerberos ciphersuites
    in such a way as to cause OpenSSL to crash. Most applications have no
    ability to use Kerberos ciphersuites and will therefore be unaffected.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112>
    CAN-2004-0112

    Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue.
    Any application that makes use of OpenSSL's SSL/TLS library may be
    affected. Please contact your application vendor for details.

    Recommendations:
    Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications
    statically linked to OpenSSL libraries.

    OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
    FTP from the following master locations (you can find the various FTP
    mirrors under <http://www.openssl.org/source/mirror.html>
    http://www.openssl.org/source/mirror.html):

     <ftp://ftp.openssl.org/source/> ftp://ftp.openssl.org/source/

    The distribution file names are:
     o openssl-0.9.7d.tar.gz
          MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
        
     o openssl-0.9.6m.tar.gz [normal]
          MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9

     o openssl-engine-0.9.6m.tar.gz [engine]
          MD5 checksum: 4c39d2524bd466180f9077f8efddac8c

    The checksums were calculated using the following command:

        openssl md5 openssl-0.9*.tar.gz

    Credits:
    Patches for these issues were created by Dr Stephen Henson
    (steve@openssl.org) of the OpenSSL core team. The OpenSSL team would like
    to thank Codenomicon for supplying the TLS Test Tool that was used to
    discover these vulnerabilities, and Joe Orton of Red Hat for performing
    the majority of the testing.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.openssl.org/news/secadv_20040317.txt>
    http://www.openssl.org/news/secadv_20040317.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] GroupWise WebAccess File Disclosure (GWAPACHE.CONF)"

    Relevant Pages

    • [UNIX] OpenSSL Multiple Vulnerabilities (Malformed ASN.1, Malformed Public Key)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 ... OpenSSL to parse a client certificate from an SSL/TLS client when it ... resulting in a denial of service vulnerability. ...
      (Securiteam)
    • [NEWS] Multiple OpenSSL TLS Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... OpenSSL has two TLS related programming errors which cause it to crash. ... The first error causes OpenSSL to crash to segmentation fault when it ... 'Server Key exchange message' is omitted from the TLS handshake. ...
      (Securiteam)
    • [NEWS] OpenSSL SSL 2.0 Rollback
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability potentially ... affected by the OpenSSL Roolback vulnerability. ... "man in the middle" can force a client and a server to negotiate the SSL ...
      (Securiteam)
    • [NEWS] Denial of Service in ASN.1 Parsing
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in OpenSSL version 0.9.6k when running on a Windows ... On platforms such as Windows, ... MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27 ...
      (Securiteam)
    • [OpenSSL Advisory] Vulnerabilities in ASN.1 parsing
      ... OpenSSL Security Advisory ... identified and prepared fixes for a number of vulnerabilities in the ... A bug in OpenSSLs SSL/TLS protocol was also identified which causes ... OpenSSL to parse a client certificate from an SSL/TLS client when it ...
      (Bugtraq)