New OpenSSL releases fix denial of service attacks [17 March 2004]

From: Mark J Cox (mark_at_awe.com)
Date: 03/17/04

  • Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability"
    Date: Wed, 17 Mar 2004 13:12:04 +0000 (GMT)
    To: full-disclosure@lists.netsys.com, <bugtraq@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    OpenSSL Security Advisory [17 March 2004]

    Updated versions of OpenSSL are now available which correct two
    security issues:

    1. Null-pointer assignment during SSL handshake
    ===============================================

    Testing performed by the OpenSSL group using the Codenomicon TLS Test
    Tool uncovered a null-pointer assignment in the
    do_change_cipher_spec() function. A remote attacker could perform a
    carefully crafted SSL/TLS handshake against a server that used the
    OpenSSL library in such a way as to cause OpenSSL to crash. Depending
    on the application this could lead to a denial of service.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2004-0079 to this issue.

    All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from
    0.9.7a to 0.9.7c inclusive are affected by this issue. Any
    application that makes use of OpenSSL's SSL/TLS library may be
    affected. Please contact your application vendor for details.

    2. Out-of-bounds read affects Kerberos ciphersuites
    ===================================================

    Stephen Henson discovered a flaw in SSL/TLS handshaking code when
    using Kerberos ciphersuites. A remote attacker could perform a
    carefully crafted SSL/TLS handshake against a server configured to use
    Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
    Most applications have no ability to use Kerberos ciphersuites and
    will therefore be unaffected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2004-0112 to this issue.

    Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this
    issue. Any application that makes use of OpenSSL's SSL/TLS library
    may be affected. Please contact your application vendor for details.

    Recommendations
    - ---------------

    Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications
    statically linked to OpenSSL libraries.

    OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
    FTP from the following master locations (you can find the various FTP
    mirrors under http://www.openssl.org/source/mirror.html):

        ftp://ftp.openssl.org/source/

    The distribution file names are:

        o openssl-0.9.7d.tar.gz
          MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
        
        o openssl-0.9.6m.tar.gz [normal]
          MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
        o openssl-engine-0.9.6m.tar.gz [engine]
          MD5 checksum: 4c39d2524bd466180f9077f8efddac8c

    The checksums were calculated using the following command:

        openssl md5 openssl-0.9*.tar.gz

    Credits
    - -------

    Patches for these issues were created by Dr Stephen Henson
    (steve@openssl.org) of the OpenSSL core team. The OpenSSL team would
    like to thank Codenomicon for supplying the TLS Test Tool which was
    used to discover these vulnerabilities, and Joe Orton of Red Hat for
    performing the majority of the testing.

    References
    - ----------

    http://www.codenomicon.com/testtools/tls/
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112

    URL for this Security Advisory:
    http://www.openssl.org/news/secadv_20040317.txt

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd
    G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ
    pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j
    Ez3jSlsbRRA=
    =wvAZ
    -----END PGP SIGNATURE-----


  • Next message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability"

    Relevant Pages

    • [Full-Disclosure] New OpenSSL releases fix denial of service attacks [17 March 2004]
      ... Updated versions of OpenSSL are now available which correct two ... Null-pointer assignment during SSL handshake ... carefully crafted SSL/TLS handshake against a server configured to use ...
      (Full-Disclosure)
    • New OpenSSL releases fix denial of service attacks [17 March 2004]
      ... Updated versions of OpenSSL are now available which correct two ... Null-pointer assignment during SSL handshake ... carefully crafted SSL/TLS handshake against a server configured to use ...
      (Full-Disclosure)
    • RE: Vulnerable Openssl version remains & got activated after update
      ... You only appear to have upgraded the x86_64 RPMs for the new version - maybe you've still got the i686 version of the RPM's installed as well? ... Vulnerable Openssl version remains & got activated after update ... Handshake - Server Hello ... Handshake - Server Key Exhange ...
      (RedHat)
    • SSL 2-way handshake
      ... I have gone through many links on internet to get the 2-way handshake implemented with Apache mod_ssl and Openssl to no avail. ... I am stuck at a point where the Client-side certificate fails resulting in the failure of the whole SSL handshake. ... Can you point me to any link which gives a detailed procedure of implementing 2-way handshake with Openssl and Apache mod_ssl. ...
      (Security-Basics)
    • Re: New OpenSSL releases fix denial of service attacks [17 March 2004]
      ... New OpenSSL releases fix denial of service attacks ... > carefully crafted SSL/TLS handshake against a server configured to use ... > Kerberos ciphersuites in such a way as to cause OpenSSL to crash. ... > statically linked to OpenSSL libraries. ...
      (Bugtraq)