SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
SecurityTracker Alert ID:  1009458
SecurityTracker URL:  http://securitytracker.com/id/1009458
CVE Reference:   CVE-2004-0079, CVE-2004-0081, CVE-2004-0112   (Links to External Site)
Date:  Mar 17 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.6c - 0.9.6k and 0.9.7a - 0.9.7c
Description:   Some vulnerabilities were reported in OpenSSL, primarily involving the processing of SSL/TLS protocol handshakes. A remote user can cause OpenSSL to crash.

It is reported that there is a null-pointer assignment in the do_change_cipher_spec() function [CVE: CVE-2004-0079]. A remote user can perform a specially crafted SSL/TLS handshake with a target server to cause OpenSSL to crash on the target system. This may cause the application using OpenSSL to crash.

All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to 0.9.7c inclusive are reportedly vulnerable to this null-pointer bug.

It is also reported that there is a flaw in performing SSL/TLS handshakes using Kerberos ciphersuites [CVE: CVE-2004-0112]. A remote user can perform a specially crafted SSL/TLS handshake against a server that is using Kerberos ciphersuites to cause OpenSSL to crash on the target system.

OpenSSL versions 0.9.7a, 0.9.7b, and 0.9.7c are reported to be vulnerable to this Kerberos handshake bug.

It is also reported that a remote user may be able to cause OpenSSL to enter an infinite loop due to a flaw in a patch introduced in 0.9.6d [CVE: CVE-2004-0081].

The vendor credits Dr. Stephen Henson of the OpenSSL core team as well as Codenomicon for supplying their TLS Test Tool and Joe Orton of Red Hat for performing the majority of the testing.

Impact:   A remote user can cause OpenSSL to crash, which may cause an application using OpenSSL to crash. The specific impact depends on the application that uses the OpenSSL library.
Solution:   The vendor has released fixed versions (0.9.7d or 0.9.6m), availablle at:

ftp://ftp.openssl.org/source/

The distribution file names are:

openssl-0.9.7d.tar.gz
MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5

openssl-0.9.6m.tar.gz [normal]
MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9

openssl-engine-0.9.6m.tar.gz [engine]
MD5 checksum: 4c39d2524bd466180f9077f8efddac8c

The checksums were calculated using the following command:

openssl md5 openssl-0.9*.tar.gz

Vendor URL:  www.openssl.org/news/secadv_20040317.txt (Links to External Site)
Cause:   Boundary error, Exception handling error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 17 2004 (Cisco Plans Fix for IOS) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Cisco has plans to issue a fix for IOS.
Mar 17 2004 (Cisco Plans Fix for Cisco Access Registrar) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Cisco plans a fix for Cisco Access Registrar.
Mar 17 2004 (SuSE Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
SuSE has released a fix.
Mar 17 2004 (FreeBSD Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
FreeBSD has released a fix.
Mar 17 2004 (Mandrake Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Mandrake has released a fix.
Mar 17 2004 (NetScreen Issues Fix for NetScreen IVE) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
NetScreen has issued a fix for the NetScreen Instant Virtual Extranet (IVE) product.
Mar 17 2004 (Red Hat Issues Fix for RH Enterprise Linux) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Red Hat has issued a fix for Red Hat Enterprise Linux 2.1.
Mar 17 2004 (Red Hat Issues Fix for RH Enterprise Linux) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Red Hat issues a fix for Red Hat Enterprise Linux 3.
Mar 17 2004 (Debian Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Debian has released a fix.
Mar 17 2004 (OpenBSD Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
OpenBSD has released a fix.
Mar 17 2004 (Red Hat Issues Fix for RH Linux) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Red Hat has released a fix for Red Hat Linux 9.
Mar 18 2004 (Gentoo Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Gentoo has released a fix.
Mar 18 2004 (Slackware Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Slackware has released a fix.
Mar 19 2004 (Trustix Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Trustix has released a fix.
Mar 22 2004 (LiteSpeed Web Server Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
The vendor of the LiteSpeed Web Server has issued a fixed version.
Mar 23 2004 (Fedora Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Fedora has released a fix.
Mar 26 2004 (Check Point Issues Fix for Provider-1) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Check Point Provider-1 is vulnerable and a fix is available.
Mar 27 2004 (Check Point Issues Fix for FireWall-1) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Check Point FireWall-1/VPN-1 is vulnerable and a fix is available.
Mar 31 2004 (Symantec Issues Fix for Clientless VPN Gateway) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Symantec has issued a fix for the Symantec Clientless VPN Gateway.
Apr 1 2004 (Conectiva Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Conectiva has released a fix.
Apr 3 2004 (NetScreen Issues Fix for NetScreen-IDP) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
NetScreen has indicated that NetScreen-IDP is vulnerable.
Apr 6 2004 (Apple Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Apple has released a fix for Mac OS X.
Apr 9 2004 (HP Issues Fix for HP-UX AAA Server) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
HP has issued a fix for the HP-UX AAA Server, which is affected by these OpenSSL flaws.
Apr 22 2004 (NetBSD Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
NetBSD has issued a fix.
Apr 26 2004 (HP Issues Fix for Apach on HP-UX) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
HP has issued a fix for HP-UX.
May 6 2004 (HP Issues Fix for HP WBEM Services) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
HP has issued a fix for HP WBEM Services.
May 8 2004 (VMware Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
VMware has issued a fix for ESX Server 2.0.1, Build 8045.
May 8 2004 (VMware Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
VMware has issued a fix for ESX Server 1.5.2.
May 10 2004 (Red Hat Issues Fix for RH Linux) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Red Hat has issued a fix for Red Hat Linux 7.2, 7.3, and 8.0.
May 28 2004 (Novell Issues Fix for eDirectory) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Novell has issued a security fix for eDirectory.
Aug 7 2004 (Citrix Issues Fix for Secure Gateway) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Citrix has issued a fixed for Citrix Secure Gateway, which is affected by the OpenSSL vulnerability.
Sep 1 2004 (SCO Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
SCO has issued a fix for OpenServer 5.0.6 and 5.0.7.
Nov 3 2004 (SGI Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
SGI has issued a fix for IRIX.
Aug 16 2005 (Apple Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Apple has issued a fix for Mac OS X.
Nov 2 2005 (Red Hat Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 3 2005 (Red Hat Issues Fix for openssl096b) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
Red Hat has released a fix for openssl096b on Red Hat Enterprise Linux 3 and 4.



 Source Message Contents

Subject:  http://www.openssl.org/news/secadv_20040317.txt


OpenSSL Security Advisory [17 March 2004]

Updated versions of OpenSSL are now available which correct two
security issues:


1. Null-pointer assignment during SSL handshake
===============================================

Testing performed by the OpenSSL group using the Codenomicon TLS Test
Tool uncovered a null-pointer assignment in the
do_change_cipher_spec() function.  A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server that used the
OpenSSL library in such a way as to cause OpenSSL to crash.  Depending
on the application this could lead to a denial of service.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0079 to this issue.

All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from
0.9.7a to 0.9.7c inclusive are affected by this issue.  Any
application that makes use of OpenSSL's SSL/TLS library may be
affected.  Please contact your application vendor for details.


2. Out-of-bounds read affects Kerberos ciphersuites
===================================================

Stephen Henson discovered a flaw in SSL/TLS handshaking code when
using Kerberos ciphersuites.  A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server configured to use
Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
Most applications have no ability to use Kerberos ciphersuites and
will therefore be unaffected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0112 to this issue.

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this
issue.  Any application that makes use of OpenSSL's SSL/TLS library
may be affected.  Please contact your application vendor for details.

Recommendations
---------------

Upgrade to OpenSSL 0.9.7d or 0.9.6m.  Recompile any OpenSSL applications
statically linked to OpenSSL libraries.

OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under http://www.openssl.org/source/mirror.html):

     ftp://ftp.openssl.org/source/

The distribution file names are:

     o openssl-0.9.7d.tar.gz
       MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5

     o openssl-0.9.6m.tar.gz [normal]
       MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
     o openssl-engine-0.9.6m.tar.gz [engine]
       MD5 checksum: 4c39d2524bd466180f9077f8efddac8c

The checksums were calculated using the following command:

     openssl md5 openssl-0.9*.tar.gz

Credits
-------

Patches for these issues were created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.  The OpenSSL team would
like to thank Codenomicon for supplying the TLS Test Tool which was
used to discover these vulnerabilities, and Joe Orton of Red Hat for
performing the majority of the testing.

References
----------

http://www.codenomicon.com/testtools/tls/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20040317.txt





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC