SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Tarantella Vendors:   Tarantella, Inc.
(Tarantella Issues Fix for Tarantella Enterprise) Re: OpenSSL Has Multiple Buffer Overflows That Allow Remote Users to Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1005393
SecurityTracker URL:  http://securitytracker.com/id/1005393
CVE Reference:   CVE-2002-0655, CVE-2002-0656, CVE-2002-0657, CVE-2002-0659   (Links to External Site)
Date:  Oct 9 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Tarantella Enterprise 3, version 3.0x, 3.1x, 3.2x
Description:   Four buffer overflow conditions were reported in OpenSSL. All four may allow a remote user to execute arbitrary code.

The vendor has reported that A.L. Digital Ltd and The Bunker have uncovered multiple buffer overflows in OpenSSL, discovered during a security review.

A remote user could create a specially crafted, oversized client master key and use SSL2 to trigger an overflow on an SSL server. According to the report, this vulnerability was independently discovered by Neohapsis, which has confirmed that the overflow can be exploited to execute arbitrary code.

A remote user with an SSL server could create a specially crafted, oversized session ID and supply this ID to a target client using SSL3 to trigger an overflow.

A remote user could supply a specially crafted, oversized master key to an SSL3 server to trigger an overflow. It is reported that this flaw affects OpenSSL 0.9.7 prior to version 0.9.7-beta3 when Kerberos is enabled.

Several buffers used for ASCII representations of integers are reportedly too small on 64 bit platforms.

The report also states that other potential buffer overflows that are currently considered to be non-exploitable have been discovered.

The vendor notes that Adi Stav and James Yonan independently reported that the ASN1 parser can be confused by certain invalid encodings, potentially allowing a remote user to cause denial of service conditions. An OpenSSL-based application that use the ASN1 library to parse untrusted data (including all SSL or TLS applications using S/MIME [PKCS#7] or certificate generation routines) are affected.

Impact:   A remote user acting as an SSL client could execute arbitrary code on an SSL server. A remote user acting as an SSL server could cause arbitrary code to be executed on an SSL client that is connecting to the server. In each case, the code would run with privileges of the affected implementation.

A remote user may be able cause denial of service conditions.

Solution:   Tarantella has issued a fix for Tarantella Enterprise Server and has provided the following solution information.

"Replacement binaries for the Tarantella Security Daemon (ttassl) and replacement packages for the Tarantella Native Client have been produced, using a fixed version of the OpenSSL libraries.

The replacement Tarantella Security Daemon binaries are available from the software updates pages of the Tarantella Support site:

http://www.tarantella.com/support/updates/

These are currently available for Solaris and Linux platforms only, and can be applied to version 3.20 only. They are not suitable for earlier versions of the software.

The replacement Native Client packages are available from the Tarantella Native Client download page:

http://www.tarantella.com/download/clients/

These replacements are currently available for Solaris, Linux and Microsoft Windows platforms only: fixed Native Clients are version 3.20.939.

Maintenance customers with versions of the product prior to 3.20 are entitled and encouraged to upgrade to version 3.20 and apply this security update as part of their maintenance contract. All other customers should contact their local Tarantella representative for details of other update paths."

Also, the vendor plans to include the fix in future releases of Tarantella Enterprise 3 software.

Vendor URL:  www.tarantella.com/security/bulletin-05.html (Links to External Site)
Cause:   Boundary error, Exception handling error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 30 2002 OpenSSL Has Multiple Buffer Overflows That Allow Remote Users to Execute Arbitrary Code with Root Privileges



 Source Message Contents

Subject:  Tarantella Security Bulletin #05


Tarantella Security Bulletin #05
OpenSSL libraries used by Tarantella software contain security vulnerabilities

Originally posted: October 7, 2002
Last updated: October 7, 2002
Summary

Affected products

    * Tarantella Enterprise 3, version 3.2x on all operating systems.
    * Tarantella Enterprise 3, version 3.1x on all operating systems.
    * Tarantella Enterprise 3, version 3.0x on all operating systems.

Problem

The OpenSSL libraries used in the affected products contain security vulnerabilities.

Impact

    * A remote attacker can obtain root access to a host on which a Tarantella server is
installed, if the Tarantella Security Pack is also installed and running.
* A remote attacker may be able to execute arbitrary code on the client system with the
privileges of the current user.

Solution

    * There are two parts to the solution:
         1. A replacement ttassl binary. Binaries are currently available for Solaris and
Linux platforms only. The replacement binary can be applied to version 3.20 only.
         2. Replacement Tarantella Native Client packages. Packages are currently
available for Solaris, Linux and Microsoft Windows platforms only. 
    * The fixed ttassl binaries are available from the software updates pages of the
Tarantella Support site.
    * The new Native Client packages are available from the Tarantella Native Client
download page. Fixed Native Clients are version 3.20.939.
    * Maintenance customers with earlier versions of the product are entitled and
encouraged to upgrade to version 3.20 and apply the security update, as part of their
maintenance contract. All other customers should contact their local Tarantella
representative for details of other update paths.
    * This vulnerability will be removed from future releases of Tarantella Enterprise 3
software.

Technical details

To implement security features in Tarantella software, some Tarantella components make use
of an open source implementation of the SSL (Secure Sockets Layer) protocol, OpenSSL. In
particular, the Tarantella Security Daemon (part of the Tarantella server) and Tarantella
libraries.

Security researchers in the Internet community have recently found several severe
vulnerabilities in the OpenSSL implementation. These are described in CERT Advisory
CA-2002-23. Many of these vulnerabilities are in the OpenSSL code used in the affected
Tarantella products:

   1. CERT vulnerability 102795 (also known as CAN-2002-0656).
   2. CERT vulnerability 258555 (also known as CAN-2002-0656).
   3. CERT vulnerability 748355 (also known as CAN-2002-0659). 

Note that CERT Advisory CA-2002-23 also refers to other OpenSSL vulnerabilities (CERT
vulnerabilities 561275 and 308891). These do not affect Tarantella products.
Checking for vulnerable installations

Because this vulnerability affects both client and server components, you must check both.

A Tarantella server installation is vulnerable if any of the following are true:

   1. The installation is Tarantella Enterprise 3 version 3.0x or 3.1x on any operating
system, and the Tarantella Security Pack is installed and running.
   2. The installation is Tarantella Enterprise 3 version 3.2x on any operating system,
the Tarantella Security Pack is installed and running, and the original ttassl binary is
installed (in other words, the fix has not been applied). Note that the 3.20.931 patch
does not remove this vulnerability. You should install the 3.20.931 patch before
installing these fixes: see software updates. 

To check the version of your Tarantella server

   1. Log in to the UNIX host on which the Tarantella Enterprise 3 software is installed.
   2. Type the following (replacing /opt/tarantella with the name of your installation
directory, if different):

      /opt/tarantella/bin/tarantella version
   3. This displays the version numbers of all installed components. Check the version
number for the main component (shown as "Tarantella Enterprise 3 for operating system").
          * If this begins 3.1 or 3.0, then the installation is vulnerable.
          * If this begins 3.2, then the installation may be vulnerable: check whether the
fix has already been applied.
          * In all other cases the installation is not vulnerable.

To check whether the fix has already been applied

   1. Log in to the UNIX host on which the Tarantella Enterprise 3 software is installed,
and change to the /opt/tarantella/bin/bin directory (replacing /opt/tarantella with the
name of your installation directory, if different).
   2. Type either of the following lines:

      sum -r ttassl
      md5sum ttassl
   3. These commands produce checksums for the ttassl binary, which will be different on
each operating system. The table below shows the checksums for the fixed binary on each
platform.
      Platform sum -r md5sum
      Intel Linux 2.2+ kernel 61757 258641a531cb2dd178a24ec96caa2d6a
      SPARC Solaris 2.6+ 13533 5d91f81f97a18131c75834349885b68f
      Fixes for other platforms are not yet available
   4. If your checksum matches the table, then the fixed ttassl binary is installed. If it
displays anything else, then a vulnerable ttassl binary is installed. 

A Tarantella Native Client is vulnerable if any of the following are true:

   1. The Native Client is version 3.0x or 3.1x on any operating system.
   2. The Native Client is version 3.2x on any operating system, and not 3.20.939 (in
other words, the fix has not been applied). 

To check the Native Client version

   1. Run the Native Client.
   2. On the Help menu, click About Tarantella.
   3. This displays the version number of the Native Client, in the form "Tarantella
Native Client z.yy.xxx"
          * If the version begins 3.1 or 3.0, then the Native Client is vulnerable.
          * If the version begins 3.2 and is not 3.20.939, then the Native Client is
vulnerable.
          * In all other cases the Native Client is not vulnerable.

Detecting possible attacks

CERT Advisory CA-2002-27 describes an exploit of vulnerability 102795 known as the
Apache/mod_ssl work, linux.slapper.worm or bugtraq.c worm. There are no known examples of
this exploit being used against a Tarantella server or client.

If you see evidence of this exploit on a server on which Tarantella software is installed,
this may be an attack on your Apache HTTPS server and not the Tarantella server.

Impact

The vulnerability in the ttassl binary allows a remote attacker to gain root privileges
for the host on which Tarantella Enterprise 3 software is installed, if the Tarantella
Security Pack is also installed and running.

The Native Client vulnerability would allow a remote attacker to execute arbitrary code on
the client system with the privileges of the current user. This client attack would
require the attacker to spoof the user into visiting the attacker's server.
Solution

Replacement binaries for the Tarantella Security Daemon (ttassl) and replacement packages
for the Tarantella Native Client have been produced, using a fixed version of the OpenSSL
libraries.

    * The replacement Tarantella Security Daemon binaries are available from the software
updates pages of the Tarantella Support site. These are currently available for Solaris
and Linux platforms only, and can be applied to version 3.20 only. They are not suitable
for earlier versions of the software.

    * The replacement Native Client packages are available from the Tarantella Native
Client download page. These replacements are currently available for Solaris, Linux and
Microsoft Windows platforms only: fixed Native Clients are version 3.20.939.

Maintenance customers with versions of the product prior to 3.20 are entitled and
encouraged to upgrade to version 3.20 and apply this security update as part of their
maintenance contract. All other customers should contact their local Tarantella
representative for details of other update paths.

This vulnerability will be removed from future releases of Tarantella Enterprise 3
software.

Contact details

    * To report a suspected vulnerability in a Tarantella product, email
security@tarantella.com with full details.
    * For general support information, see the Tarantella Support web site.

About this bulletin

    * URL: http://www.tarantella.com/security/bulletin-05.html
    * Internal reference: FZ603070
    * Revision history:
    o 1.1 (October 7, 2002): Bulletin created.





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC