OpenSSL Flaw in Encrypt-Then-Mac Extension Negotiation Lets Remote Authenticated Users Cause the Target Service to Crash
|
SecurityTracker Alert ID: 1037846 |
SecurityTracker URL: http://securitytracker.com/id/1037846
|
CVE Reference:
CVE-2017-3733
(Links to External Site)
|
Date: Feb 16 2017
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.1.0 to 1.1.0e
|
Description:
A vulnerability was reported in OpenSSL. A remote authenticated user can cause the target service to crash.
A remote authenticated user can trigger a crash during a renegotiate handshake and cause the target service to crash, depending on the selected cipher suite.
Negotiating the Encrypt-Then-Mac extension when the original handshake did not include the extension can trigger this flaw. Negotiating without the Encrypt-Then-Mac extension when the original handshake included the extension can also trigger this flaw.
Clients and servers are affected.
The vendor was notified on January 31, 2017.
Joe Orton (Red Hat) reported this vulnerability.
|
Impact:
A remote authenticated user can cause the target service to crash.
|
Solution:
The vendor has issued a fix (1.1.0e).
The vendor advisory is available at:
https://www.openssl.org/news/secadv/20170216.txt
|
Vendor URL: www.openssl.org/news/secadv/20170216.txt (Links to External Site)
|
Cause:
State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: [openssl-announce] OpenSSL Security Advisory
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenSSL Security Advisory [16 Feb 2017]
========================================
Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
====================================================
Severity: High
During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.
OpenSSL 1.1.0 users should upgrade to 1.1.0e
This issue does not affect OpenSSL version 1.0.2.
This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.
Note
====
Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20170216.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJYpZMiAAoJENnE0m0OYESRMUgH/0UN9sxxgyDewSCMeTOYPauK
cSPqyw1pndQI6Lu+d3OCdWd01rdLcm+HxlbW5FOUjGZ4G9YefE0+JcvKkIuLGIpQ
1EE0g/ZuBzWDh7/MkFWcmjHceYVXi5sKewtWcQvO9uePzlPhlSZoNIL1G66n1HAo
of3ZlSL5BmibaTiz1WmpDG//0W1pgYP5OdvQ8/AVrJJf8pUnU9Oyubm1yCyK2RHi
jfJWLbMx0ENgW4G1sW4s8bPaj4GwLjIrZl8ocqoyAHhghkBv/UXUhv6i62bKHmxW
vfYwwiU0GlRVwPXzFKbbE3qqCRyDsq+XLAe/09NZZWA+BtscWuUhUpyEODBqzeY=
=zqNG
-----END PGP SIGNATURE-----
--
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
|
|