Date: 20 April 2012
References: ESB-2012.0389 ESB-2012.0392 ESB-2012.0407 ESB-2012.0408 ESB-2012.0431 ESB-2012.0480 ESB-2012.0506 ESB-2012.0532 ESB-2012.0713 ESB-2012.0732
ESB-2012.0833.2 ESB-2012.0866 ESB-2012.0912 ASB-2012.0172 ESB-2013.0276 ESB-2013.0300 ESB-2013.0309 ESB-2013.0475 ESB-2013.0537
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0388
A vulnerability has been fixed in OpenSSL 1.0.1a, 1.0.0i and 0.9.8v
20 April 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: OpenSSL
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2110
Original Bulletin:
http://www.openssl.org/news/secadv_20120419.txt
Comment: Detailed description from security researcher:
http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html
- --------------------------BEGIN INCLUDED TEXT--------------------
OpenSSL Security Advisory [19 Apr 2012]
=======================================
ASN1 BIO vulnerability (CVE-2012-2110)
=======================================
A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2i_read_bio.
Any application which uses BIO or FILE based functions to read untrusted DER
format data is vulnerable. Affected functions are of the form d2i_*_bio or
d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.
Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc)
are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected.
Applications only using the PEM routines are not affected.
S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or
SMIME_read_CMS *are* affected.
The OpenSSL command line utility is also affected if used to process untrusted
data in DER format.
Note: although an application using the SSL/TLS portions of OpenSSL is not
automatically affected it might still call a function such as d2i_X509_bio on
untrusted data and be vulnerable.
Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and
to Adam Langley <agl@chromium.org> for fixing it.
Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120419.txt
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT5CxPe4yVqjM2NGpAQJ4Tw/+MNXecTZspf/x7t7PYlDU3cXiFYGXKF/S
FTMUQLTVskD5Sx/unBvwZApslMbbBbnvq0qBtNhdHAc2WVJCw5IWVPqfem4woai4
5eSitE6ylxPgJTIuFCfFUaKCRFRsqWXmPaYM19r++TD1kZgtwFGrC7dsAuKfnPua
1H4lG5OZbHVDU/6kkxkPph7RgIGZN062KcyZLUZ9CAWwPnCB0K14nCCSXEPyWwrI
AU+qHjsdQn4d/HmR6fUsoZ+oIvptXqxuRUEO5/50vGLMOCmepTG1w7bS/PUh6Oek
7y0DhM9i7LiNNCkSHCgKqu9FWrpAcwo0A04v/7LB1g/gGBnkOZhre74QXsmgRqQI
JHeIZdcgfMf9BNLUNW3m2o3VC+bBe9KZKdY0/DUzMOUjkDINI3y9hwGr4mLROus1
wZNMPqv8eZByqn0Weji+r6YktfANhOVE6zhMXvqbOeNGq5Q+wPxbN3CvF22u7itz
rVqt8TlPtGUhqLPyAWTL13rfrA97eRUFcSeknnxQA8HDI51vaADr7TsvOJFI41fY
yovDyBqxVT1aKnfvWL0TYWuYt0nQ58XVZVpfm9HLrzjJucLsQfwMvKctMHqYHhH7
CL4GLZ+O9AFPqAFAUDI7sJFoUrMZNXLOVbRkpcDGOipUXbNI0V/0TwjBKFSsLl2L
R4/uobpkIR4=
=/u8H
-----END PGP SIGNATURE-----
|