SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   OpenSSL Vendors:   OpenSSL.org
(NetBSD Issues Fix) OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications
SecurityTracker Alert ID:  1009908
SecurityTracker URL:  http://securitytracker.com/id/1009908
CVE Reference:   CVE-2004-0079, CVE-2004-0081   (Links to External Site)
Date:  Apr 22 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.6c - 0.9.6k and 0.9.7a - 0.9.7c
Description:   Some vulnerabilities were reported in OpenSSL, primarily involving the processing of SSL/TLS protocol handshakes. A remote user can cause OpenSSL to crash.

It is reported that there is a null-pointer assignment in the do_change_cipher_spec() function [CVE: CVE-2004-0079]. A remote user can perform a specially crafted SSL/TLS handshake with a target server to cause OpenSSL to crash on the target system. This may cause the application using OpenSSL to crash.

All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to 0.9.7c inclusive are reportedly vulnerable to this null-pointer bug.

It is also reported that there is a flaw in performing SSL/TLS handshakes using Kerberos ciphersuites [CVE: CVE-2004-0112]. A remote user can perform a specially crafted SSL/TLS handshake against a server that is using Kerberos ciphersuites to cause OpenSSL to crash on the target system.

OpenSSL versions 0.9.7a, 0.9.7b, and 0.9.7c are reported to be vulnerable to this Kerberos handshake bug.

It is also reported that a remote user may be able to cause OpenSSL to enter an infinite loop due to a flaw in a patch introduced in 0.9.6d [CVE: CVE-2004-0081].

The vendor credits Dr. Stephen Henson of the OpenSSL core team as well as Codenomicon for supplying their TLS Test Tool and Joe Orton of Red Hat for performing the majority of the testing.

Impact:   A remote user can cause OpenSSL to crash, which may cause an application using OpenSSL to crash. The specific impact depends on the application that uses the OpenSSL library.
Solution:   NetBSD has issued a fix for the vulnerabilities described in CVE CVE-2004-0079 and CVE-2004-0079.

For NetBSD-current:

Systems running NetBSD-current dated from before 2004-03-22 should be upgraded to NetBSD-current dated 2004-03-23 or later.

The following directories need to be updated from the netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl

To update from CVS, re-build, and re-install libcrypto and libssl
# cd src
# cvs update -d -P crypto/dist/openssl

# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


For NetBSD 1.6, 1.6.1, 1.6.2:

The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

Systems running NetBSD 1.6 sources dated from before 2004-04-02 should be upgraded from NetBSD 1.6 sources dated 2004-04-03 or later.

NetBSD 1.6.3 will include the fix.

The following directories need to be updated from the netbsd-1-6 CVS branch:
crypto/dist/openssl

To update from CVS, re-build, and re-install libcrypto and libssl

# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl

# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl

# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

For NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.

Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2004-04-07 should be upgraded from NetBSD 1.5.* sources dated 2004-04-08 or later.

The following directories need to be updated from the netbsd-1-5 CVS branch:
crypto/dist/openssl

To update from CVS, re-build, and re-install libcrypto and libssl

# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/openssl

# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl

# make cleandir dependall
# make install

Vendor URL:  www.openssl.org/news/secadv_20040317.txt (Links to External Site)
Cause:   Boundary error, Exception handling error, State error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3, 1.6, 1.6.1, 1.6.2

Message History:   This archive entry is a follow-up to the message listed below.
Mar 17 2004 OpenSSL SSL/TLS Handshade Flaws May Let Remote Users Crash OpenSSL-based Applications



 Source Message Contents

Subject:  NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL



-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2004-005
		 =================================

Topic:		Denial of service vulnerabilities in OpenSSL

Version:	NetBSD-current:	source prior to March 22, 2004
		NetBSD 2.0:	branch unaffected, release will include the fix
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD 1.5.3:	affected
		NetBSD 1.5.2:	affected
		NetBSD 1.5.1:	affected
		NetBSD 1.5:	affected
		pkgsrc:		security/openssl packages prior to 0.9.6m

Severity:	Possible denial of service, depending on the application

Fixed:		NetBSD-current:		March 22, 2004
		NetBSD-1.6 branch:	April  2, 2004
					(1.6.3 will include the fix)
		NetBSD-1.5 branch:	April  7, 2004
		pkgsrc:			openssl-0.9.6m corrects this issue


Abstract
========

There are two distinct denial of service vulnerabilities addressed by this
advisory:

	1. Null-pointer assignment during SSL handshake

	A carefully crafted SSL/TLS handshake against a server which
	uses the OpenSSL library may result in a crash.  Depending on how
	the application uses the OpenSSL library, this may result in a
	denial of service.


	2. Out-of-bounds read affects Kerberos ciphersuites

	A second flaw in the SSL/TLS handshake could cause a server
	configured to use the Kerberos ciphersuites to crash if a carefully
	crafted sequence of packets is sent by an attacker.



Solutions and Workarounds
=========================

The following instructions describe how to upgrade your libcrypto and libssl
libraries by updating your source tree and rebuilding and
installing a new versions.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2004-03-22
	should be upgraded to NetBSD-current dated 2004-03-23 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl
		# cd src
		# cvs update -d -P crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl
		
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1, 1.6.2:

	The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before
	2004-04-02 should be upgraded from NetBSD 1.6 sources dated
	2004-04-03 or later.

	NetBSD 1.6.3 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2004-04-07 should be upgraded from NetBSD 1.5.*
	sources dated 2004-04-08 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl

		# make cleandir dependall
		# make install

Revision History
================

	2004-04-21	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-005.txt,v 1.3 2004/04/21 17:34:50 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQIax0z5Ru2/4N2IFAQHjFwP7B6JP4OrQsPrCgSYkUxpuw4oQ0n9kOB7J
rEM+aA9/9nrtbc95vuFhjaiahUop91I9oPxNkKjoflaqNyrtGM18U+um5iCv/cJV
0aBih+cyv7hWylcxrTwZ35QuxpFOz253mpCPpKDk4YC8zDjvQDDOoCIz+854WdDe
5MM5tkgTqPU=
=gjxz
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC