SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(NetBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
SecurityTracker Alert ID:  1030763
SecurityTracker URL:  http://securitytracker.com/id/1030763
CVE Reference:   CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139   (Links to External Site)
Date:  Aug 27 2014
Impact:   Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zb, 1.0.0n, 1.0.1i
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions. A user can obtain potentially sensitive information.

Applications using OpenSSL that print may leak some stack contents to the application [CVE-2014-3508]. The OpenSSL client and server are not affected. Ivan Fratric (Google) reported this vulnerability on June 19, 2014.


A remote server can send a specially crafted ec point format extension to the target multithreaded client via a resumed session to trigger a race condition in ssl_parse_serverhello_tlsext and write to freed memory [CVE-2014-3509]. Version 1.0.0 and 1.0.1 clients are affected. Gabor Tyukasz (LogMeIn Inc) reported this vulnerability on July 8, 2014.

A remote user can send specially crafted DTLS packets to trigger a double free memory error and deny service on the target system [CVE-2014-3505]. Adam Langley and Wan-Teh Chang (Google) reported this vulnerability on June 6, 2014.

A remote user can send specially crafted data to trigger a DTLS handshake processing flaw and consume excessive memory resources on the target system [CVE-2014-3506]. Adam Langley (Google) reported this vulnerability on June 6, 2014.

A remote user can send specially crafted zero-length DTLS fragments to trigger a memory leak [CVE-2014-3507]. Adam Langley (Google) reported this vulnerability on June 6, 2014.

A remote server can specify an anonymous EC(DH) ciphersuite to trigger a null pointer dereference in the target DTLS client and cause the client to crash [CVE-2014-3510]. Felix Grobert (Google) reported this vulnerability on July 18, 2014.

A remote user in a privileged network position can cause a target user's ClientHello message to be fragmented to trigger a flaw in the server code and force a downgrade to TLS 1.0 [CVE-2014-3511]. Version 1.0.1 is affected. David Benjamin and Adam Langley (Google) reported this vulnerability on July 21, 2014.

A remote user can send specially crafted SRP data to trigger a buffer overflow and potentially execute arbitrary code on the target system [CVE-2014-3512]. Version 1.0.1 is affected. Sean Devlin and Watson Ladd (Cryptography Services, NCC
Group) reported this vulnerability on July 31, 2014.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

A user can obtain potentially sensitive information from the stack.

Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc

Vendor URL:  www.openssl.org/news/secadv_20140806.txt (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, Resource error, State error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Aug 7 2014 OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2014-008: Multiple OpenSSL vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-008
		=================================

Topic:		Multiple OpenSSL vulnerabilities


Version:	NetBSD-current:		prior to Aug 10th, 2014
		NetBSD 6.1 - 6.1.4:	affected
		NetBSD 6.0 - 6.0.5:	affected
		NetBSD 5.1 - 5.1.4:	partially affected
		NetBSD 5.2 - 5.2.2:	partially affected

Severity:	MitM, Remote Code Execution, Remote DoS,
		Local Information Leak

Fixed:		NetBSD-current:		Aug 10th, 2014
		NetBSD-6-0 branch:	Aug 11th, 2014
		NetBSD-6-1 branch:	Aug 11th, 2014
		NetBSD-6 branch:	Aug 11th, 2014
		NetBSD-5-2 branch:	Aug 11th, 2014
		NetBSD-5-1 branch:	Aug 11th, 2014
		NetBSD-5 branch:	Aug 11th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Information leak in pretty printing functions (CVE-2014-3508)
Double Free when processing DTLS packets (CVE-2014-3505)
DTLS memory exhaustion (CVE-2014-3506)
DTLS memory leak from zero-length fragments (CVE-2014-3507)
OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
OpenSSL TLS protocol downgrade attack (CVE-2014-3511)

only in NetBSD-6 and NetBSD-current:
Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
SRP buffer overrun (CVE-2014-3512)


Technical Details
=================

See http://www.openssl.org/news/secadv_20140806.txt


Solutions and Workarounds
=========================

Update the OpenSSL libraries and make sure the old libssl and libcrypto
are no longer used.

- From source:
- ------------
Update src and rebuild and install.
Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to
version 1.0.1h; updating the entire src tree is recommended.

- From tarballs:
- --------------
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/
with a date 20140812* or larger, and your release version and architecture
(e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201408140100Z/amd64/binary/sets/),
and then extract the files:

Shared libraries:

tar xzpf base.tgz \*libssl\* \*libcrypto\*

And static libraries and linker config files:

tar xzpf comp.tgz \*libssl\* \*libcrypto\*

Get the fixed library into use
- ------------------------------
Since the vulnerability is in a shared library, getting the old
library purged and the fixed one into use requires restarting
all programs that load libssl and libcrypto.
The easiest way to do this is to reboot the system.
Another method: using /bin/sh,
ps ax -o pid | (while read pid; do \
	pmap $pid | egrep '(libssl|libcrypto)' && echo found $pid ;\
done)
will find non-chrooted programs that have the affected libraries open;
restart them. sshd will not show up in this list since it runs chrooted
and re-exec'ed but also needs to be restartet.
ldd <programname> will show the shared libraries a programs is wont to use.

Lastly, remove the vulnerable libraries to make sure they won't get used
accidentially:
rm /usr/lib/libssl.so.10.3 /lib/libcrypto.so.8.2 /usr/lib/libcrypto.so.8.2

Fixed versions
- --------------
files relative to src/crypto/external/bsd/openssl/dist/ssl

branch      d1_both.c        t1_lib.c     s3_clnt.c    s23_srvr.c
- ----------  ---------------  -----------  -----------  ------------
netbsd-6-0  1.1.1.4.4.1.4.2  1.4.4.1.4.2  1.9.4.1.4.2  1.10.2.1.4.2
netbsd-6-1  1.1.1.4.4.1.6.2  1.4.4.1.6.2  1.9.4.1.6.2  1.10.2.1.6.2
netbsd-6    1.1.1.4.4.3      1.4.4.3      1.9.4.3      1.10.2.3
HEAD        1.1.1.8          1.9          1.16         1.16

files relative to src/crypto/external/bsd/openssl/dist/crypto

branch      asn1/a_object.c  objects/obj_dat.c  srp/srp_lib.c
- ----------  ---------------  -----------------  -------------
netbsd-6-0  1.1.1.4.4.1.4.2  1.4.4.1.4.2        1.9.4.1.4.2
netbsd-6-1  1.1.1.4.4.1.6.2  1.4.4.1.6.2        1.9.4.1.6.2
netbsd-6    1.1.1.4.4.3      1.4.4.3            1.9.4.3
HEAD        1.1.1.8          1.9                1.16

files relative to crypto/dist/openssl/ssl

branch      d1_both.c        t1_lib.c     s3_clnt.c    s23_srvr.c
- ----------  ---------------  -----------  -----------  ------------
netbsd-5-1  1.1.1.4.4.1.4.2  1.4.4.1.4.2  1.9.4.1.4.2  1.10.2.1.4.2
netbsd-5-2  1.1.1.4.4.1.6.2  1.4.4.1.6.2  1.9.4.1.6.2  1.10.2.1.6.2
netbsd-5    1.1.1.4.4.3      1.4.4.3      1.9.4.3      1.10.2.3

files relative to crypto/dist/openssl/crypto

branch      asn1/a_object.c  objects/obj_dat.c  srp/srp_lib.c
- ----------  ---------------  -----------------  -------------
netbsd-5-1  1.1.1.4.4.1.4.2  1.4.4.1.4.2        1.9.4.1.4.2
netbsd-5-2  1.1.1.4.4.1.6.2  1.4.4.1.6.2        1.9.4.1.6.2
netbsd-5    1.1.1.4.4.3      1.4.4.3            1.9.4.3


Thanks To
=========

The OpenSSL team acknowledges:
Ivan Fratric (Google) for CVE-2014-3508
Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for CVE-2014-5139
Gabor Tyukasz (LogMeIn Inc) for CVE-2014-3509
Adam Langley and Wan-Teh Chang (Google) for CVE-2014-3505
Adam Langley (Google) for CVE-2014-3506, CVE-2014-3507
Felix Gröbert (Google) for CVE-2014-3510
David Benjamin and Adam Langley (Google) for CVE-2014-3511
Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)
	for CVE-2014-3512
for discovering the vulnerabilities, and
Emilia Käsper, Stephen Henson and Matt Caswell of OpenSSL and
Gabor Tyukasz, Adam Langley and David Benjamin for developing fixes.


Revision History
================

	2014-08-27	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-008.txt,v 1.1 2014/08/27 00:14:29 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT/SL9AAoJEAZJc6xMSnBuNGMP/ij4iBhBJICU9NIL37ya0HbC
Ib4vldwm1D5P854Kzyhe9xmONcxDs/kbc3EVnZ462g/ZZXU+FCJynmSD9bjH2FyE
j8LF7qYpbPHsdsMVP2NvtE43/Tr4so1T/L0X20pyKVGfmvjcDRa6ly9TEXwueTnO
n8zlzu5frCCdB0L0flFXKFcRl8FV28vrNhjdAK9WbSVKE3AzABoIfeq1y9cQ0d5n
W9Qb5dzc7P3Es6u20/fCwFg7a8YbHh5Vdwz03UBrYw6oxW9psndz3fEPpXtobrW6
tI+qUIKN8aH+81bX6QKsJDu+N0bT+Kxy8y77XxgJws6egUtK7+LAGmU8/+nSe5yj
5rsMjrFyeTPJZ72RucYYvkqtDurQ7vofpTcUD8L0H3p/EAG7Rnfdbmjt3GtjN1Jf
TjntWXsYqKM5IEGF+Co9JywNoXPXQ2pgFJplngcxW2qMWSAb6j55z6JfUDSFFBSB
sSTzQkzs8/QJdnn+IEkXWL3O/YACE+RJ7qz2u9KRXSnSC6pxJ8u6HEXXiUtZ7yuU
dKkcN/wudVh7wb6GZETb40ZIRyyYv8wKH4JHC9v8xd/CBoMimzQayYE65xZ2oUTV
z0YaBZDLiTKZchhg3c0NYvJcRFcwNsdSnh4pT+3NYwq1wtYYRrHAIPagvafBGRPV
x01mlfhalrNN/1bxcnIl
=M1P+
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC