SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
SecurityTracker Alert ID:  1007837
SecurityTracker URL:  http://securitytracker.com/id/1007837
CVE Reference:   CVE-2003-0543, CVE-2003-0544, CVE-2003-0545   (Links to External Site)
Updated:  Sep 30 2003
Original Entry Date:  Sep 30 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.7b and prior versions
Description:   Several vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. A remote user may be able to cause arbitrary code to be executed on a server application that uses OpenSSL.

It is reported that a remote user can send a specially crafted SSL client certificate containing invalid ASN.1 tag values to trigger a flaw in OpenSSL and cause OpenSSL to crash due to "out of bounds reads" (CVE: CVE-2003-0543 and CVE-2003-0544). These flaws affected 0.9.6 and 0.9.7. The specific impact depends on the application using OpenSSL. The report indicates that the effects against Apache (when using OpenSSL) are "limited" and only cause Apache httpd child processes to crash.

It is also reported that certain ASN.1 encodings detected to be invalid may trigger a double free of the ASN1_TYPE variable, deallocating memory that has already been deallocated (CVE: CVE-2003-0545). This flaw only affects 0.9.7. A remote user may be able to send a specially crafted SSL client certificate to an application that uses OpenSSL to potentially execute arbitrary code. The exact impact depends on how the application uses OpenSSL.

It is also reported that a remote user can specify an invalid public key in a certificate to cause the verify code to crash if the target server is configured to ignore public key decoding errors. The vendor notes that ignoring public key decoding errors is usually only done in debugging situations and not usually in production code. [Editor's note: A CVE number had not yet been assigned to this issue at the time of this entry.]

NISCC is credited with discovering these vulnerabilities.

The vendor reports a fourth related security issue, where an error in the SSL/TLS protocol handling will cause a server to parse a client certificate even when a client certificate is not specifically requested. As a result, any server application that uses OpenSSL can be attacked using the vulnerabilities described above, even if the server application does not enable client authentication.

Impact:   A remote user can cause an OpenSSL-based server process to crash.

A remote user can cause arbitrary code to be executed by an OpenSSL-based server process.

In both cases, the specific impact depends on how OpenSSL is used by the server process.

Solution:   For both of these flaws, a fix is available via CVS (as of September 30, 2003):

http://cvs.openssl.org/

The vendor plans to issue a fixed release version (0.9.6k and 0.9.7c), to be available shortly at:

http://www.openssl.org/source/

Vendor URL:  www.openssl.org/news/secadv_20030930.txt (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 30 2003 (Red Hat Issues Fix for RH 7.1 - 8.0) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Red Hat has released a fix for 7.1, 7.2, 7.3, and 8.0.
Sep 30 2003 (Red Hat Issues Fix for RH 9) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Red Hat has released a fix for Red Hat Linux 9.
Sep 30 2003 (Red Hat Issues Fix RH Enterprise Linux) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux.
Sep 30 2003 (OpenPKG Issues Fix) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
OpenPKG has issued a fixed package.
Oct 1 2003 (Immunix Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Immunix has released a fix.
Oct 1 2003 (Cisco IOS is Affected) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Cisco reports that Cisco IOS is vulnerable to denial of service attacks.
Oct 1 2003 (Cisco PIX is Affected) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Cisco reports that Cisco PIX Firewall is vulnerable to denial of service attacks.
Oct 1 2003 (Cisco Catalyst is Affected) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
The Cisco Firewall Services Module (FWSM) and Cisco Network Analysis Modules (NAM) for the Cisco Catalyst devices are affected.
Oct 1 2003 (Cisco Content Service Switch is Affected) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Cisco reports that the Cisco Content Service Switch (CSS) 11000 series is vulnerable.
Oct 1 2003 (Debian Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Debian has released a fix.
Oct 1 2003 (EnGarde Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
EnGarde has released a fix.
Oct 1 2003 (Mandrake Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Mandrake has released a fix.
Oct 1 2003 (Conectiva Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Conectiva has released a fix.
Oct 1 2003 (Slackware Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Slackware has released a fix.
Oct 2 2003 (SuSE Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
SuSE has released a fix.
Oct 2 2003 (HP Issues Fix for Apache) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
HP has released a fix for Apache for HP-UX.
Oct 3 2003 (Gentoo Issues Fix) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Gentoo Linux has issued a fix.
Oct 3 2003 (Trustix/Tawie Issues Fix) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Trustix/Tawie Linux has issued a fix.
Oct 4 2003 (OpenBSD Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications
OpenBSD has released a fix.
Oct 8 2003 (HP Issues Fix for HP-UX AAA Server) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications
HP has released a fix for the HP-UX AAA Server.
Oct 9 2003 (NetBSD Issues Fix) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
NetBSD has issued a fix.
Oct 17 2003 (Novell Issues Fix for iChain) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Novell has issued a fix for iChain.
Oct 24 2003 (Novell Issues Fix for NetMail) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Novell has issued a fix for NetMail, which is affected by the OpenSSL flaw.
Oct 31 2003 (OpenBSD Adds Fix for OpenBSD 3.4) Re: OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
OpenBSD has issued a fix for version 3.4 to add to the previously issued fixes for OpenBSD versions 3.3 and 3.2.
Dec 4 2003 (SGI Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
SGI has issued a fix for IRIX.
Dec 6 2003 (Novell Issues Fix for eDirectory) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Novell has issued a fix for eDirectory.
Dec 9 2003 (Tarantella Issues Fix) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Tarantella has issued a fix for Tarantella Enterprise 3.
May 28 2004 (Novell Issues Fix for eDirectory) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Novell has issued a security fix for eDirectory.
Jun 13 2005 (Novell Issues Fix for iManager) OpenSSL ASN.1 Parsing Flaws Lets Remote User Crash Applications or Execute Arbitrary Code
Novell has issued a fix for iManager, which includes OpenSSL and is affected by this vulnerability.



 Source Message Contents

Subject:  OpenSSL


It is reported that vulnerabilities have been discovered by NISCC in the SSL protocol 
implementation in OpenSSL 0.9.6 and 0.9.7.

A remote user can send a specially crafted SSL client certificate containing "unusual"
ASN.1 tag values to trigger a flaw in OpenSSL and cause OpenSSL to crash due to "out of 
bounds reads."  The specific impact depends on the application using OpenSSL.  The report 
indicates that the effects against Apache (when using OpenSSL) are "limited" and only 
cause Apache httpd child processes to crash.

The CVE numbers CAN-2003-0543 and CAN-2003-0544 have been assigned to this vulnerability.

Free up ASN1_TYPE correctly if ANY type is invalid

It is also reported that certain ASN.1 encodings detected to be invalid may trigger double 
free, deallocating memory that has already been deallocated.  A remote user may be able to 
send a specially crafted SSL client certificate to an application that uses OpenSSL to 
potentially execute arbitrary code.  The exact impact depends on how the application uses 
OpenSSL.

The CVE number CAN-2003-0545 has been assigned to this issue.

For both of these flaws, a fix is available via CVS (as of September 30, 2003):

http://cvs.openssl.org/




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC