Date: 30 September 2003
References: ESB-2003.0690 ESB-2003.0693 ESB-2003.0765
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0689 -- NISCC Vulnerability Advisory 006489/OpenSSL
Vulnerability Issues in OpenSSL
30 September 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL 0.9.6j and 0.9.7b and prior
SSLeay (all versions)
Publisher: NISCC
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
Ref: AL-2003.18
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) ALERT - 27/03 dated 30.09.03 Time: 13:00
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
NISCC Vulnerability Advisory 006489/OpenSSL:
Vulnerability Issues in OpenSSL
Detail
======
Version Information
- - -------------------
Advisory Reference 006489/OpenSSL
Release Date 30 September 2003
Last Revision 30 September 2003
Version Number 1.0
What is Affected?
- - -----------------
All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
versions of SSLeay. (SSLeay is no longer maintained.)
Severity
- - --------
Three specific vulnerabilities have been discovered in the OpenSSL
libraries. Two of these could allow a Denial of Service attack, the third
may result in an attacker being able to execute malicious code under
certain conditions.
Summary
- - -------
During 2002 the University of Oulu Security Programming Group (OUSPG)
discovered a number of implementation specific vulnerabilities in the
Simple Network Management Protocol (SNMP). NISCC has performed and
commissioned further work to identify implementation specific
vulnerabilities in related protocols that are vital to the UK Critical
National Infrastructure (CNI). The OpenSSL implementation of the TLS
(Transport Layer Security) and SSL (Secure Sockets Layer) protocols, which
add communications protection to a range of Internet protocols, has been
studied in this context.
NISCC has provided a test suite to the OpenSSL project. The OpenSSL
development team has utilised the test suite to determine whether their
product is vulnerable. Three specific vulnerabilities have been identified.
The codebase has been updated to address the issues found.
Details
- - -------
OpenSSL is an open source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a
general purpose cryptography library.
The vulnerabilities described in this advisory affect the OpenSSL
implementation of the TLS and SSL protocols, which are typically used to
provide security services to a range of Internet application protocols
and in support of web and email applications.
TLS and SSL are intermediate protocols layered onto a TCP connection used
to provide additional security to higher level protocols. These higher
level protocols, particularly application protocols such as web services
or email, may be layered on top of a TLS/SSL connection.
TLS is based on SSL v3, and although the two are not interoperable,
implementations of TLS v1 are likely to support SSL v3. For the purpose of
this discussion the two will be considered equivalent. TLS and SSL are not
Abstract Syntax Notation One (ASN.1) based protocols and define their own
presentation language as part of the TLS/SSL specification. However, they
do depend on a number of ASN.1 objects used as part of the protocol
exchange.
For example, if one of the parties involved in a TLS/SSL connection sends
an ASN.1 element that cannot be handled properly, the behaviour of the
receiving application may be unpredictable. It has been found that a
vulnerability can arise where one of the parties generates an exceptional
ASN.1 element as part of a client certificate. A Denial of Service may
arise in the receiving application, or there may be an opportunity for
further exploitation.
Vendor specific information will be released as it becomes available and if
vendor permission has been received. Subscribers are advised to check the
following URL regularly for updates:
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
[Please note that updates to this advisory will not be notified by email.]
The identified vulnerabilities (complete with CVE names) are as follows:
NISCC/006489/OpenSSL/1 [OpenSSL 0.9.6 and 0.9.7]
CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
An unusual ASN.1 tag value can cause an out of bounds read under certain
circumstances resulting in a Denial of Service condition.
NISCC/006489/OpenSSL/2 [OpenSSL 0.9.6 and 0.9.7]
[No CVE name]
An invalid public key in a certificate will crash the verify code if it is
set to ignore all errors. This is only done for debugging purposes and
is not present in production code. Successful exploitation would result in
a Denial of Service condition.
NISCC/006490/OpenSSL/3 [OpenSSL 0.9.7]
CAN-2003-0545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
Certain ASN.1 structures which are rejected as invalid by the parser result
in part of the corresponding structure being freed up incorrectly. In
theory exploitation of this vulnerability could result in an attacker being
able to execute malicious code.
Solution
- - --------
Please refer to the Vendor Information section of this advisory for
implementation specific remediation.
These vulnerabilities have been fixed in OpenSSL 0.9.7c and 0.9.6k,
available from the OpenSSL web site at:
http://www.openssl.org/news/secadv_20030930.txt
[OpenSSL was analysed by Stephen Henson, a member of the OpenSSL core team
(steve@openssl.org). Stephen has also produced the patches to address the
issues identified.]
Vendor Information
- - ------------------
A list of vendors affected by this advisory is not currently available.
Please visit the web site in order to check for updates at:
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
(Please quote the advisory reference in the subject line.)
Telephone +44 (0)20 7821 1330 Extension 4511
Monday to Friday 08:30 - 17:00
Fax +44 (0)20 7821 1686
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our
PGP key. This is available from http://www.uniras.gov.uk/UNIRAS.asc
Please note that UK government protectively marked material should not be
sent to the email address above.
If you wish to be added to our email distribution list, please email your
request to uniras@niscc.gov.uk.
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security
Co-Ordination Centre, please visit the NISCC web site at:
http://www.niscc.gov.uk/aboutniscc/index.htm
Reference to any specific commercial product, process or service by trade
name, trademark manufacturer or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NISCC. The views and opinions
of authors expressed within this notice shall not be used for advertising
or product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable
for any loss or damage whatsoever, arising from or in connection with the
usage of information contained within this notice.
(C) 2003 Crown Copyright
<End of NISCC Vulnerability Advisory>
- - ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@niscc.gov.uk
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBP3lnrYpao72zK539AQHlVQP+N5Zu/USVDo6lnWLHOrJ1bg4aWhHtTHAg
Gxhg4Pp91xfvUIajz2Ehqh/28u82Tp/lUNkMnVEFJ8yk8WHB0YClviRQLnTzvIUb
7zKgdVTdKxd7l5rzMDkS1totYPI4p4mQr1Sh8D4slezLUbLJu4b0MLYdkVezVwlM
daHADZ5xLKc=
=V1Z4
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP3l7Cih9+71yA2DNAQHOBgQAhssvhagqU7EAXnrLMPJ2y5T/ZzLRFf6W
+xjH+OdoXCw1LXxwXlhN8/tprf2lvNpU0YCAmvS/EVN76j5S3foUYWxzxh18IGY+
VVlvChsulYDCEieAxVvkzvbYJXaHbWEFEUlYOx3To24dPMbO9xGLvuU1repX694R
9CcqnbxZvXM=
=sy6M
-----END PGP SIGNATURE-----
|