SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1037717
SecurityTracker URL:  http://securitytracker.com/id/1037717
CVE Reference:   CVE-2017-3730, CVE-2017-3731, CVE-2017-3732   (Links to External Site)
Date:  Jan 26 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 1.0.2k, 1.1.0d
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can cause the target service to crash. A remote user can obtain potentially sensitive information on the target system.

A remote user can send a specially crafted truncated packet to the target server or client running on a 32-bit host and using a specific cipher to trigger an out-of-bounds memory read error and cause the service to crash [CVE-2017-3731]. CHACHA20/POLY1305 is affected on version 1.1.0. RC4-MD5 is affected on version 1.0.2.

The vendor was notified on November 13, 2016.

Robert Swiecki of Google reported this vulnerability.

A remote server can supply specially crafted parameters for a DHE or ECDHE key exchange to trigger a null pointer dereference and cause the target client service to crash [CVE-2017-3730]. Version 1.1.0 is affected.

The vendor was notified on January 14, 2017.

Guido Vranken reported this vulnerability.

A remote user can exploit a carry propagation flaw in BN_mod_exp() to potentially determine information about the private key in certain situations [CVE-2017-3732].

Systems configured for persistent DH parameters and sharing a private key between multiple clients are affected.

The vendor was notified on January 15, 201.

The OSS-Fuzz project reported this vulnerability.

Impact:   A remote user can cause the target service to crash.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (1.0.2k, 1.1.0d).

The vendor advisory is available at:

https://www.openssl.org/news/secadv/20170126.txt

Vendor URL:  www.openssl.org/news/secadv/20170126.txt (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 31 2017 (Ubuntu Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10.
Feb 15 2017 (IBM Issues Fix for IBM Flex System Manager) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for the IBM Flex System Manager SMIA tool.
Feb 20 2017 (Red Hat Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Feb 21 2017 (Oracle Issues Fix for Oracle Linux) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Linux 6 and 7.
Feb 21 2017 (IBM Issues Fix for IBM AIX) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Feb 23 2017 (FreeBSD Issues Fix) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
FreeBSD has issued a fix for FreeBSD 10.3 and 11.0.
Mar 1 2017 (Pulse Secure Issues Advisory for Pulse Connect Secure) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Pulse Secure has issued an advisory for Pulse Connect Secure.
Mar 3 2017 (Blue Coat Systems Issues Advisory for Blue Coat Director) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Blue Coat Systems has issued an advisory for Blue Coat Director.
Mar 3 2017 (Blue Coat Systems Issues Advisory for Blue Coat IntelligenceCenter) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Blue Coat Systems has issued an advisory for Blue Coat IntelligenceCenter.
Mar 4 2017 (Blue Coat Systems Issues Advisory for Blue Coat PacketShaper) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Blue Coat Systems has issued an advisory for Blue Coat PacketShaper.
Mar 4 2017 (Blue Coat Systems Issues Advisory for Blue Coat ProxyAV) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Blue Coat Systems has issued an advisory for Blue Coat ProxyAV.
Mar 4 2017 (Blue Coat Systems Issues Advisory for Blue Coat ProxySG) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Blue Coat Systems has issued an advisory for Blue Coat ProxySG.
Mar 4 2017 (Blue Coat Systems Issues Advisory for Blue Coat Reporter) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Blue Coat Systems has issued an advisory for Blue Coat Reporter.
Apr 19 2017 (Oracle Issues Fix for Oracle Primavera Products Suite) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
Oracle has issued a fix for Oracle Primavera Products Suite.
May 2 2017 (IBM Issues Fix for IBM Security Identity Manager Virtual Appliance) OpenSSL Multiple Bugs Let Remote Users Deny Service and Obtain Potentially Sensitive Information
IBM has issued a fix for IBM Security Identity Manager Virtual Appliance.



 Source Message Contents

Date:  Thu, 26 Jan 2017 14:04:46 +0000
Subject:  [openssl-announce] OpenSSL Security Advisory

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCgpPcGVuU1NM
IFNlY3VyaXR5IEFkdmlzb3J5IFsyNiBKYW4gMjAxN10KPT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PQoKVHJ1bmNhdGVkIHBhY2tldCBjb3VsZCBjcmFzaCB2aWEgT09CIHJl
YWQgKENWRS0yMDE3LTM3MzEpCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PQoKU2V2ZXJpdHk6IE1vZGVyYXRlCgpJZiBhbiBTU0wvVExTIHNl
cnZlciBvciBjbGllbnQgaXMgcnVubmluZyBvbiBhIDMyLWJpdCBob3N0LCBhbmQgYSBzcGVjaWZp
YwpjaXBoZXIgaXMgYmVpbmcgdXNlZCwgdGhlbiBhIHRydW5jYXRlZCBwYWNrZXQgY2FuIGNhdXNl
IHRoYXQgc2VydmVyIG9yIGNsaWVudAp0byBwZXJmb3JtIGFuIG91dC1vZi1ib3VuZHMgcmVhZCwg
dXN1YWxseSByZXN1bHRpbmcgaW4gYSBjcmFzaC4KCkZvciBPcGVuU1NMIDEuMS4wLCB0aGUgY3Jh
c2ggY2FuIGJlIHRyaWdnZXJlZCB3aGVuIHVzaW5nIENIQUNIQTIwL1BPTFkxMzA1Owp1c2VycyBz
aG91bGQgdXBncmFkZSB0byAxLjEuMGQKCkZvciBPcGVuc3NsIDEuMC4yLCB0aGUgY3Jhc2ggY2Fu
IGJlIHRyaWdnZXJlZCB3aGVuIHVzaW5nIFJDNC1NRDU7IHVzZXJzIHdobyBoYXZlCm5vdCBkaXNh
YmxlZCB0aGF0IGFsZ29yaXRobSBzaG91bGQgdXBkYXRlIHRvIDEuMC4yawoKVGhpcyBpc3N1ZSB3
YXMgcmVwb3J0ZWQgdG8gT3BlblNTTCBvbiAxM3RoIE5vdmVtYmVyIDIwMTYgYnkgUm9iZXJ0IMWa
d2nEmWNraSBvZgpHb29nbGUuIFRoZSBmaXggd2FzIGRldmVsb3BlZCBieSBBbmR5IFBvbHlha292
IG9mIHRoZSBPcGVuU1NMIGRldmVsb3BtZW50IHRlYW0uCgpCYWQgKEVDKURIRSBwYXJhbWV0ZXJz
IGNhdXNlIGEgY2xpZW50IGNyYXNoIChDVkUtMjAxNy0zNzMwKQo9PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKU2V2ZXJpdHk6IE1vZGVy
YXRlCgpJZiBhIG1hbGljaW91cyBzZXJ2ZXIgc3VwcGxpZXMgYmFkIHBhcmFtZXRlcnMgZm9yIGEg
REhFIG9yIEVDREhFIGtleSBleGNoYW5nZQp0aGVuIHRoaXMgY2FuIHJlc3VsdCBpbiB0aGUgY2xp
ZW50IGF0dGVtcHRpbmcgdG8gZGVyZWZlcmVuY2UgYSBOVUxMIHBvaW50ZXIKbGVhZGluZyB0byBh
IGNsaWVudCBjcmFzaC4gVGhpcyBjb3VsZCBiZSBleHBsb2l0ZWQgaW4gYSBEZW5pYWwgb2YgU2Vy
dmljZQphdHRhY2suCgpPcGVuU1NMIDEuMS4wIHVzZXJzIHNob3VsZCB1cGdyYWRlIHRvIDEuMS4w
ZAoKVGhpcyBpc3N1ZSBkb2VzIG5vdCBhZmZlY3QgT3BlblNTTCB2ZXJzaW9uIDEuMC4yLgoKTm90
ZSB0aGF0IHRoaXMgaXNzdWUgd2FzIGZpeGVkIHByaW9yIHRvIGl0IGJlaW5nIHJlY29nbmlzZWQg
YXMgYSBzZWN1cml0eQpjb25jZXJuLiBUaGlzIG1lYW5zIHRoZSBnaXQgY29tbWl0IHdpdGggdGhl
IGZpeCBkb2VzIG5vdCBjb250YWluIHRoZSBDVkUKaWRlbnRpZmllci4gVGhlIHJlbGV2YW50IGZp
eCBjb21taXQgY2FuIGJlIGlkZW50aWZpZWQgYnkgY29tbWl0IGhhc2ggZWZiZTEyNmUzLgoKVGhp
cyBpc3N1ZSB3YXMgcmVwb3J0ZWQgdG8gT3BlblNTTCBvbiAxNHRoIEphbnVhcnkgMjAxNyBieSBH
dWlkbyBWcmFua2VuLiBUaGUKZml4IHdhcyBkZXZlbG9wZWQgYnkgTWF0dCBDYXN3ZWxsIG9mIHRo
ZSBPcGVuU1NMIGRldmVsb3BtZW50IHRlYW0uCgpCTl9tb2RfZXhwIG1heSBwcm9kdWNlIGluY29y
cmVjdCByZXN1bHRzIG9uIHg4Nl82NCAoQ1ZFLTIwMTctMzczMikKPT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CgpTZXZlcml0
eTogTW9kZXJhdGUKClRoZXJlIGlzIGEgY2FycnkgcHJvcGFnYXRpbmcgYnVnIGluIHRoZSB4ODZf
NjQgTW9udGdvbWVyeSBzcXVhcmluZyBwcm9jZWR1cmUuIE5vCkVDIGFsZ29yaXRobXMgYXJlIGFm
ZmVjdGVkLiBBbmFseXNpcyBzdWdnZXN0cyB0aGF0IGF0dGFja3MgYWdhaW5zdCBSU0EgYW5kIERT
QQphcyBhIHJlc3VsdCBvZiB0aGlzIGRlZmVjdCB3b3VsZCBiZSB2ZXJ5IGRpZmZpY3VsdCB0byBw
ZXJmb3JtIGFuZCBhcmUgbm90CmJlbGlldmVkIGxpa2VseS4gQXR0YWNrcyBhZ2FpbnN0IERIIGFy
ZSBjb25zaWRlcmVkIGp1c3QgZmVhc2libGUgKGFsdGhvdWdoIHZlcnkKZGlmZmljdWx0KSBiZWNh
dXNlIG1vc3Qgb2YgdGhlIHdvcmsgbmVjZXNzYXJ5IHRvIGRlZHVjZSBpbmZvcm1hdGlvbgphYm91
dCBhIHByaXZhdGUga2V5IG1heSBiZSBwZXJmb3JtZWQgb2ZmbGluZS4gVGhlIGFtb3VudCBvZiBy
ZXNvdXJjZXMKcmVxdWlyZWQgZm9yIHN1Y2ggYW4gYXR0YWNrIHdvdWxkIGJlIHZlcnkgc2lnbmlm
aWNhbnQgYW5kIGxpa2VseSBvbmx5CmFjY2Vzc2libGUgdG8gYSBsaW1pdGVkIG51bWJlciBvZiBh
dHRhY2tlcnMuIEFuIGF0dGFja2VyIHdvdWxkCmFkZGl0aW9uYWxseSBuZWVkIG9ubGluZSBhY2Nl
c3MgdG8gYW4gdW5wYXRjaGVkIHN5c3RlbSB1c2luZyB0aGUgdGFyZ2V0CnByaXZhdGUga2V5IGlu
IGEgc2NlbmFyaW8gd2l0aCBwZXJzaXN0ZW50IERIIHBhcmFtZXRlcnMgYW5kIGEgcHJpdmF0ZQpr
ZXkgdGhhdCBpcyBzaGFyZWQgYmV0d2VlbiBtdWx0aXBsZSBjbGllbnRzLiBGb3IgZXhhbXBsZSB0
aGlzIGNhbiBvY2N1ciBieQpkZWZhdWx0IGluIE9wZW5TU0wgREhFIGJhc2VkIFNTTC9UTFMgY2lw
aGVyc3VpdGVzLiBOb3RlOiBUaGlzIGlzc3VlIGlzIHZlcnkKc2ltaWxhciB0byBDVkUtMjAxNS0z
MTkzIGJ1dCBtdXN0IGJlIHRyZWF0ZWQgYXMgYSBzZXBhcmF0ZSBwcm9ibGVtLgoKT3BlblNTTCAx
LjEuMCB1c2VycyBzaG91bGQgdXBncmFkZSB0byAxLjEuMGQKT3BlblNTTCAxLjAuMiB1c2VycyBz
aG91bGQgdXBncmFkZSB0byAxLjAuMmsKClRoaXMgaXNzdWUgd2FzIHJlcG9ydGVkIHRvIE9wZW5T
U0wgb24gMTV0aCBKYW51YXJ5IDIwMTcgYnkgdGhlIE9TUy1GdXp6IHByb2plY3QuClRoZSBmaXgg
d2FzIGRldmVsb3BlZCBieSBBbmR5IFBvbHlha292IG9mIHRoZSBPcGVuU1NMIGRldmVsb3BtZW50
IHRlYW0uCgpNb250Z29tZXJ5IG11bHRpcGxpY2F0aW9uIG1heSBwcm9kdWNlIGluY29ycmVjdCBy
ZXN1bHRzIChDVkUtMjAxNi03MDU1KQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQoKU2V2ZXJpdHk6IExvdwoKVGhp
cyBpc3N1ZSB3YXMgcHJldmlvdXNseSBmaXhlZCBpbiAxLjEuMGMgYW5kIGNvdmVyZWQgaW4gc2Vj
dXJpdHkgYWR2aXNvcnkKaHR0cHM6Ly93d3cub3BlbnNzbC5vcmcvbmV3cy9zZWNhZHYvMjAxNjEx
MTAudHh0CgpPcGVuU1NMIDEuMC4yayB1c2VycyBzaG91bGQgdXBncmFkZSB0byAxLjAuMmsKCgpO
b3RlCj09PT0KClN1cHBvcnQgZm9yIHZlcnNpb24gMS4wLjEgZW5kZWQgb24gMzFzdCBEZWNlbWJl
ciAyMDE2LiBTdXBwb3J0IGZvciB2ZXJzaW9ucwowLjkuOCBhbmQgMS4wLjAgZW5kZWQgb24gMzFz
dCBEZWNlbWJlciAyMDE1LiBUaG9zZSB2ZXJzaW9ucyBhcmUgbm8gbG9uZ2VyCnJlY2VpdmluZyBz
ZWN1cml0eSB1cGRhdGVzLgoKUmVmZXJlbmNlcwo9PT09PT09PT09CgpVUkwgZm9yIHRoaXMgU2Vj
dXJpdHkgQWR2aXNvcnk6Cmh0dHBzOi8vd3d3Lm9wZW5zc2wub3JnL25ld3Mvc2VjYWR2LzIwMTcw
MTI2LnR4dAoKTm90ZTogdGhlIG9ubGluZSB2ZXJzaW9uIG9mIHRoZSBhZHZpc29yeSBtYXkgYmUg
dXBkYXRlZCB3aXRoIGFkZGl0aW9uYWwgZGV0YWlscwpvdmVyIHRpbWUuCgpGb3IgZGV0YWlscyBv
ZiBPcGVuU1NMIHNldmVyaXR5IGNsYXNzaWZpY2F0aW9ucyBwbGVhc2Ugc2VlOgpodHRwczovL3d3
dy5vcGVuc3NsLm9yZy9wb2xpY2llcy9zZWNwb2xpY3kuaHRtbAotLS0tLUJFR0lOIFBHUCBTSUdO
QVRVUkUtLS0tLQoKaVFFY0JBRUJDQUFHQlFKWWlmb25BQW9KRU5uRTBtME9ZRVNSbmhZSC8xbGRG
WURFWjg5NERsZVpmalJyWnVsWApPUWtFSDd3NnYrRDZZRnA4aTJ2NnJKYURxOGNhT1BFaHp1cFFD
eFBjcVlpdEJVbnd3OVV6VXZZSjc3YUJWMENHCkRRM1V2RTlYZUVuNUQ3TUdBR3EvdXQ1WjVXcHZs
WUw3bjdQYWNpWDc1MXZwVHNXVEJLZkdlY1E4WVYwYVQ2eSsKN1Y3dkh6Nk5WRm51VFFETVVZczlD
OWFUc0NEVE55M0JsODRkN2dZeW9EV1hVWGRzNWswMDhnOUxGUkk0WVE4bAorNHorR1hSVmN2QUZy
NmZLSDk0WXExUk1BcDZjSmkwUkRreXV3Y0doU09Vd1ZmU0xUTjgraTJ2NHhxektnc3gxCnEycVBv
Mys3dWVkZXJFNVphTlpTY2wweEF6RWlsb3R4TFF5eTlYU1Z4L0REWEh6MGluMTUwMHF4Z3hORkVM
VT0KPTEyRS8KLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCi0tIApvcGVuc3NsLWFubm91bmNl
IG1haWxpbmcgbGlzdApUbyB1bnN1YnNjcmliZTogaHR0cHM6Ly9tdGEub3BlbnNzbC5vcmcvbWFp
bG1hbi9saXN0aW5mby9vcGVuc3NsLWFubm91bmNlCg==
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC