SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(NetBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
SecurityTracker Alert ID:  1030808
SecurityTracker URL:  http://securitytracker.com/id/1030808
CVE Reference:   CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139   (Links to External Site)
Date:  Sep 5 2014
Impact:   Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zb, 1.0.0n, 1.0.1i
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions. A user can obtain potentially sensitive information.

Applications using OpenSSL that print may leak some stack contents to the application [CVE-2014-3508]. The OpenSSL client and server are not affected. Ivan Fratric (Google) reported this vulnerability on June 19, 2014.


A remote server can send a specially crafted ec point format extension to the target multithreaded client via a resumed session to trigger a race condition in ssl_parse_serverhello_tlsext and write to freed memory [CVE-2014-3509]. Version 1.0.0 and 1.0.1 clients are affected. Gabor Tyukasz (LogMeIn Inc) reported this vulnerability on July 8, 2014.

A remote user can send specially crafted DTLS packets to trigger a double free memory error and deny service on the target system [CVE-2014-3505]. Adam Langley and Wan-Teh Chang (Google) reported this vulnerability on June 6, 2014.

A remote user can send specially crafted data to trigger a DTLS handshake processing flaw and consume excessive memory resources on the target system [CVE-2014-3506]. Adam Langley (Google) reported this vulnerability on June 6, 2014.

A remote user can send specially crafted zero-length DTLS fragments to trigger a memory leak [CVE-2014-3507]. Adam Langley (Google) reported this vulnerability on June 6, 2014.

A remote server can specify an anonymous EC(DH) ciphersuite to trigger a null pointer dereference in the target DTLS client and cause the client to crash [CVE-2014-3510]. Felix Grobert (Google) reported this vulnerability on July 18, 2014.

A remote user in a privileged network position can cause a target user's ClientHello message to be fragmented to trigger a flaw in the server code and force a downgrade to TLS 1.0 [CVE-2014-3511]. Version 1.0.1 is affected. David Benjamin and Adam Langley (Google) reported this vulnerability on July 21, 2014.

A remote user can send specially crafted SRP data to trigger a buffer overflow and potentially execute arbitrary code on the target system [CVE-2014-3512]. Version 1.0.1 is affected. Sean Devlin and Watson Ladd (Cryptography Services, NCC
Group) reported this vulnerability on July 31, 2014.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

A user can obtain potentially sensitive information from the stack.

Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc

Vendor URL:  www.openssl.org/news/secadv_20140806.txt (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, Resource error, State error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Aug 7 2014 OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2014-008: Multiple OpenSSL vulnerabilities (updated)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-008
		=================================

Topic:		Multiple OpenSSL vulnerabilities


Version:	NetBSD-current:		prior to Aug 10th, 2014
		NetBSD 6.1 - 6.1.4:	affected
		NetBSD 6.0 - 6.0.5:	affected
		NetBSD 5.1 - 5.1.4:	partially affected
		NetBSD 5.2 - 5.2.2:	partially affected

Severity:	MitM, Remote Code Execution, Remote DoS,
		Local Information Leak

Fixed:		NetBSD-current:		Aug 10th, 2014
		NetBSD-6-0 branch:	Aug 16th, 2014
		NetBSD-6-1 branch:	Aug 16th, 2014
		NetBSD-6 branch:	Aug 16th, 2014
		NetBSD-5-2 branch:	Aug 28th, 2014
		NetBSD-5-1 branch:	Aug 28th, 2014
		NetBSD-5 branch:	Aug 28th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Information leak in pretty printing functions (CVE-2014-3508)
Double Free when processing DTLS packets (CVE-2014-3505)
DTLS memory exhaustion (CVE-2014-3506)
DTLS memory leak from zero-length fragments (CVE-2014-3507)
OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
OpenSSL TLS protocol downgrade attack (CVE-2014-3511)

only in NetBSD-6 and NetBSD-current:
Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
SRP buffer overrun (CVE-2014-3512)


Technical Details
=================

See http://www.openssl.org/news/secadv_20140806.txt


Solutions and Workarounds
=========================

Update the OpenSSL libraries and make sure the old libssl and libcrypto
are no longer used.

- From source:
+-----------
Update src and rebuild and install.
Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to
version 1.0.1i; updating the entire src tree is recommended.

- From tarballs:
+-------------
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/
with a date 20140828* or larger, and your release version and architecture
(e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201408280100Z/amd64/binary/sets/),
and then extract the files:

Shared libraries:

tar xzpf base.tgz \*libssl\* \*libcrypto\*

And static libraries and linker config files:

tar xzpf comp.tgz \*libssl\* \*libcrypto\*

Get the fixed library into use
+-----------------------------
Since the vulnerability is in a shared library, getting the old
library purged and the fixed one into use requires restarting
all programs that load libssl and libcrypto.
The easiest way to do this is to reboot the system.
Another method: using /bin/sh,
ps ax -o pid | (while read pid; do \
	pmap $pid | egrep '(libssl|libcrypto)' && echo found $pid ;\
done)
will find non-chrooted programs that have the affected libraries open;
restart them. sshd will not show up in this list since it runs chrooted
and re-exec'ed but also needs to be restartet.
ldd <programname> will show the shared libraries a programs is wont to use.

Lastly, remove the vulnerable libraries to make sure they won't get used
accidentially:
rm /usr/lib/libssl.so.10.3 /lib/libcrypto.so.8.2 /usr/lib/libcrypto.so.8.2

 Fixed versions
 --------------
files relative to src/crypto/external/bsd/openssl/dist/ssl

 branch      d1_both.c        t1_lib.c     s3_clnt.c    s23_srvr.c
 ----------  ---------------  -----------  -----------  ------------
 netbsd-6-0  1.1.1.4.4.1.4.3  1.5.4.1.4.3  1.4.4.1.4.3  1.1.1.3.10.1
 netbsd-6-1  1.1.1.4.4.1.6.3  1.5.4.1.6.3  .4.4.1.6.3   1.1.1.3.18.1
 netbsd-6    1.1.1.4.4.4      1.5.4.4      1.4.4.4      1.1.1.3.4.1
 HEAD        1.1.1.9          1.13         1.10         1.1.1.4

files relative to src/crypto/external/bsd/openssl/dist/crypto

 branch      asn1/a_object.c  objects/obj_dat.c  srp/srp_lib.c
 ----------  ---------------  -----------------  -------------
 netbsd-6-0  1.1.1.3.4.1.4.1  1.1.1.2.14.1       1.1.1.1.10.2
 netbsd-6-1  1.1.1.3.4.1.6.1  1.1.1.2.22.1       1.1.1.1.18.2
 netbsd-6    1.1.1.3.4.2      1.1.1.2.8.1        1.1.1.1.4.2
 HEAD        1.1.1.5          1.1.1.3            1.1.1.3

files relative to crypto/dist/openssl/ssl

 branch      d1_both.c        t1_lib.c     s3_clnt.c      s23_srvr.c
 ----------  ---------------  -----------  ------------   ------------
 netbsd-5-1  1.3.4.2.2.2      1.2.12.4     1.12.4.2.2.3   1.6.12.1
 netbsd-5-2  1.3.4.2.6.2      1.2.4.3.2.1  1.12.4.3.4.2   1.6.2.1
 netbsd-5    1.3.4.4          1.2.4.4      1.12.4.5       1.6.4.1

files relative to crypto/dist/openssl/crypto

 branch      asn1/a_object.c  asn1/asn1.h   asn1/asn1_err.c   objects/obj_dat.c
 ----------  ---------------  ------------  ----------------  -----------------
 netbsd-5-1  1.1.1.7.12.1     1.10.12.1     1.1.1.8.4.1.6.1   1.10.12.1
 netbsd-5-2  1.1.1.7.2.1      1.9.4.1.10.1  1.1.1.8.4.1.10.1  1.10.2.1
 netbsd-5    1.1.1.7.4.1      1.9.4.2       1.1.1.8.4.2       1.10.4.1


Thanks To
=========

The OpenSSL team acknowledges:
Ivan Fratric (Google) for CVE-2014-3508
Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for CVE-2014-5139
Gabor Tyukasz (LogMeIn Inc) for CVE-2014-3509
Adam Langley and Wan-Teh Chang (Google) for CVE-2014-3505
Adam Langley (Google) for CVE-2014-3506, CVE-2014-3507
Felix Gröbert (Google) for CVE-2014-3510
David Benjamin and Adam Langley (Google) for CVE-2014-3511
Sean Devlin and Watson Ladd (Cryptography Services, NCC Group)
	for CVE-2014-3512
for discovering the vulnerabilities, and
Emilia Käsper, Stephen Henson and Matt Caswell of OpenSSL and
Gabor Tyukasz, Adam Langley and David Benjamin for developing fixes.


Revision History
================

	2014-08-27	Initial release
	2014-08-28	Corrected pullup version numbers


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-008.txt,v 1.5 2014/08/27 21:10:20 spz Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUBPmUAAoJEAZJc6xMSnBuB7kP/1B8AlN82/+vJ8BA6NsEMa2w
ZYgcreP9vKk8bqC+8sUJQG2QEOssM0jgmM1cc/sl06HE2DGOpvfpBWfgB2iKLKK4
VSZuhLuF/Klvemja+61MSAGi9wL4YmW5JKnRzXG6Kbpq1rHCuox+/olvSDYZKI/G
DGgR1NqTIeI09xf61Qjcu2aivoydAWqPV1o+/BM1kHA3731wjLc1+Qm5ykZh99p6
yOSm5mAfKvzxHdcQkkh7RJxnwGntKhkyFL1GgzPU0D/qVqvYFMGlHOp4it3UAQMm
VamG60fU5ym6S11k8LMNEZxWcK1TKDZ6V9arjYgBNYgf3S9hQMO3abu4MHPRA8i9
qoBpdK+ZFAnDXHuy5c67Ipa1F/73J6KP086SzVmNW/eBTrci5/WurkzuQXpqPaxN
HPQXfG0Evolo7Lx9dS3g1iWS0pjHJhFlg7nysJK3W44AvCXx92sJWGwv4KQVRSyG
9b8tcoubgjU/U7WJ2RTlNtvcQF+9FR5F/0FHWwjLHnt1NC7cJxg6Wht3MXGMKp8y
2zH+9y502Gc9LaOvpdFGx5knVQe8076/6BTBKhW6m6KxNJfFrinuLxQynZWDDqNv
V5ZfcgVHP4bThcfuZK691EwMoScj9H4fFm7ZuVSHrhWJL9RYb+o+cHBo4jSk4OXZ
ANlvG+aMli1otjkcwi5L
=7Usr
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC