[NEWS] Multiple OpenSSL TLS Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple OpenSSL TLS Vulnerabilities
------------------------------------------------------------------------


SUMMARY

OpenSSL has two TLS related programming errors which cause it to crash.
The first error causes OpenSSL to crash to segmentation fault when it
receives TLS 1.0 Client Hello packet which contains server name extension
having server_name set to 0x00. The openssl program does not have TLS
extension handling enabled by default, it has to be explicitly enabled at
compile time. The second error causes the SSL client implementation to
crash to segmentation fault caused by NULL pointer dereference when
'Server Key exchange message' is omitted from the TLS handshake. The fault
is present when Anonymous Diffie-Hellman key exchange is used.

DETAILS

Vulnerable Systems:
* OpenSSL version 0.9.8f
* OpenSSL version 0.9.8g

Immune Systems:
* OpenSSL version 0.9.8h

The first problem occurs when OpenSSL is run with command line
openssl s_server -key path_to_key \
-cert path_to_certificate \
-www `openssl ciphers 'ALL:COMPLEMENTOFALL'`

receives Client Hello packet containing server name extension data having
one server host name set where the length of the name is 1 and the data is
single zero byte. It seems that the program detects the erroneous host
name (in ssl/t1_lib.c, line 325) and then proceeds to end the handshake.
When ending the handshake then program ends up trying to free already
freed pointer. The stack backtrace when running the program on debugger
shows following:

Program received signal SIGSEGV, Segmentation fault.

0x0000003a5806cbb7 in malloc_consolidate () from /lib64/libc.so.6
(gdb) bt
#0 0x0000003a5806cbb7 in malloc_consolidate () from /lib64/libc.so.6
#1 0x0000003a5806e7a7 in _int_free () from /lib64/libc.so.6
#2 0x0000003a5807214c in free () from /lib64/libc.so.6
#3 0x0000000000484c85 in CRYPTO_free (str=0x837030) at mem.c:378
#4 0x000000000045d3a7 in ssl3_free (s=0x8281e0) at s3_lib.c:1685
#5 0x00000000004663d7 in tls1_free (s=0x8281e0) at t1_lib.c:108
#6 0x0000000000473bf2 in SSL_free (s=0x8281e0) at ssl_lib.c:508
#7 0x0000000000482bef in ssl_free (a=0x8291f0) at bio_ssl.c:131
#8 0x00000000004c60f9 in BIO_free (a=0x8291f0) at bio_lib.c:136
#9 0x00000000004c6d21 in BIO_free_all (bio=0x828f40) at bio_lib.c:516
#10 0x000000000042b08d in www_body (hostname=0x822300
"localhost.localdomain", s=7, context=0x0) at s_server.c:2231
#11 0x000000000043d329 in do_server (port=4433, type=1, ret=0x7dd708,
cb=0x42a266 , context=0x0) at s_socket.c:310
#12 0x00000000004290cd in s_server_main (argc=0, argv=0x7fff26b87000) at
s_server.c:1335
#13 0x0000000000402cee in do_cmd (prog=0x813f70, argc=12,
argv=0x7fff26b86fa0) at openssl.c:382
#14 0x0000000000402a1e in main (Argc=12, Argv=0x7fff26b86fa0) at
openssl.c:301
(gdb)

The second problem occurs when openssl is run with following command line:
openssl s_client -connect localhost:4433 -cipher \
`openssl ciphers 'ALL:COMPLEMENTOFALL'` -debug -msg

The openssl sends 'Client Hello' message to server which responds with
'Server Hello' message (having selected TLS_DH_ANON_WITH_RC4_128_MD5
cipher suite), followed by Server Hello Done (omitting Server Key Exchange
message).

The program dies with segmentation fault on ssl3_get_key_exchange()
function, caused by the s->session->sess_cert being NULL. The stack
backtrace from the core file shows following:

Program terminated with signal 11, Segmentation fault.
#0 0x000000000045be7b in ssl3_send_client_key_exchange (s=0x80dd90) at
s3_clnt.c:1970
1970 if (s->session->sess_cert->peer_dh_tmp != NULL)
(gdb) bt
#0 0x000000000045be7b in ssl3_send_client_key_exchange (s=0x80dd90) at
s3_clnt.c:1970
#1 0x000000000045882d in ssl3_connect (s=0x80dd90) at s3_clnt.c:341
#2 0x00000000004746c3 in SSL_connect (s=0x80dd90) at ssl_lib.c:859
#3 0x0000000000465e14 in ssl23_get_server_hello (s=0x80dd90) at
s23_clnt.c:593
#4 0x0000000000464ecf in ssl23_connect (s=0x80dd90) at s23_clnt.c:169
#5 0x0000000000466126 in ssl23_write (s=0x80dd90, buf=0x818100, len=0) at
s23_lib.c:184
#6 0x0000000000474891 in SSL_write (s=0x80dd90, buf=0x818100, num=0) at
ssl_lib.c:912
#7 0x000000000042e251 in s_client_main (argc=0, argv=0x7fff05afd018) at
s_client.c:1065
#8 0x0000000000402cee in do_cmd (prog=0x813f70, argc=7,
argv=0x7fff05afcfe0) at openssl.c:382
#9 0x0000000000402a1e in main (Argc=7, Argv=0x7fff05afcfe0) at
openssl.c:301

The error occurs since ssl3_get_key_exchange() allows omitting the Server
Key Exchange message (which is correct, of course) but the
s->session->sess_cert is left to NULL and it is not checked at
ssl3_get_server_done(). Instead, the client state machine proceeds to
ssl3_send_client_key_exchange() where it does not check the validity of
s->session->sess_cert but just tries to dereference it (s3_clntl.c:1970).

Solution:
Patch the affected software with the patches supplied by the vendor or
update to version 0.9.8h.

Vendor Statements:
OpenSSL
The issue is covered in the advisory
<http://www.openssl.org/news/secadv_20080528.txt> secadv_20080528.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891>
CVE-2008-0891

Cisco
We have tested our product sets that use OpenSSL and have concluded that
our products are "Not vulnerable".


ADDITIONAL INFORMATION

The information has been provided by <mailto:vulncoord@xxxxxxxxx>
CERT-FI.
The original article can be found at:
<http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html>
http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.