Date: 10 January 2012
References: ESB-2010.1048.2 ESB-2011.0169 ESB-2012.0128
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1112.2
Multiple OpenSSL vulnerabilities
10 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: IBM
Operating System: AIX
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0014 CVE-2010-4180 CVE-2010-3864
Reference: ESB-2011.0169
ESB-2010.1048.2
Original Bulletin:
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
Revision History: January 10 2012: Fixed vulnerable fileset levels; updated OpenSSH version note
November 7 2011: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Nov 4 15:00:40 CDT 2011
| Updated: Tue Dec 20 11:10:55 CST 2011
| Fixed vulnerable fileset levels
| Updated: Tue Dec 6 08:33:15 CST 2011
| Updated OpenSSH version note
| Added OpenSSL-OpenSSH compatibility matrix
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
VULNERABILITY SUMMARY
VULNERABILITY: Multiple OpenSSL vulnerabilities
PLATFORMS: AIX 5.3, 6.1, 7.1, and earlier releases
SOLUTION: Apply the fix as described below.
THREAT: See below
CVE Numbers: CVE-2011-0014
CVE-2010-3864
CVE-2010-4180
DETAILED INFORMATION
I. DESCRIPTION (from cve.mitre.org)
ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c
allows remote attackers to cause a denial of service (crash), and possibly
obtain sensitive information in applications that use OpenSSL, via a mal-
formed ClientHello handshake message that triggers an out-of-bounds memory
access, aka "OCSP stapling vulnerability."
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o,
1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on
a TLS server, might allow remote attackers to execute arbitrary code via
client data that triggers a heap-based buffer overflow, related to (1) the
TLS server name extension and (2) elliptic curve cryptography.
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly
prevent modification of the ciphersuite in the session cache, which allows
remote attackers to force the downgrade to an unintended cipher via vectors
involving sniffing network traffic to discover a session identifier.
Please see the following for more information:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://www.openssl.org/news/secadv_20110208.txt
http://www.openssl.org/news/secadv_20101116.txt
http://www.openssl.org/news/secadv_20101202.txt
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L openssl.base
The following fileset levels are vulnerable:
| AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1301
| AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1301
| AIX 5.2: all versions less than or equal 0.9.8.807
| IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
| OpenSSH 5.0 or later, depending on the OpenSSL version according to
| following compatibility matrix:
| AIX OpenSSL OpenSSH
| ------------------------------------------------------------------
| 5.2 OpenSSL 0.9.8.80x OpenSSH 5.0
| 5.3,6.1,7.1 OpenSSL 0.9.8.13xx OpenSSH 5.4.0.61xx
| 5.3,6.1,7.1 OpenSSL-fips 12.9.8.13xx OpenSSH 5.4.0.61xx
AIX OpenSSH can be downloaded from:
http://sourceforge.net/projects/openssh-aix
III. FIXES
A fix is available, and it can be downloaded from:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
To extract the fixes from the tar file:
zcat openssl.0.9.8.1302.tar.Z | tar xvf -
or
zcat openssl-fips.12.9.8.1302.tar.Z | tar xvf -
or
zcat openssl.0.9.8.808.tar.Z | tar xvf -
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview the fix installation:
installp -apYd . openssl
To install the fix package:
installp -aXYd . openssl
IV. WORKAROUNDS
There are no workarounds.
V. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www.ibm.com/systems/support
and click on the "My notifications" link.
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt
C. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFO8L0X4fmd+Ci/qhIRAglwAKCKTlQiDc6sDo0hpUT2qddh/GNDBgCgnGtq
b64Pi67FSquTHfCYHQe6qVw=
=JLOO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwvN1O4yVqjM2NGpAQKtJQ/9GVL9b3vE7PWdhibb5ZNk/U1K9m0Xfjso
xl9tNHvaj/IvRxnxPPGwWNngUp/REdzqQuX0oWfouMItAg2xpFAoZf8Jx/5bN8cf
ufaghBc1EDX6dar9yALe+PWumrnPstCIBcjMtTLI31umY0i23QVEg2RMmJn26SLc
/Vu/NdizjGLW1mQYQkd8U1BLIzJdmI2UULJTxz5ZFTEU1NxYqDb+qVIE3mJt2Eti
+Jwytjv26CbXkhd0zs2A0dXA+Gbw+qwRqf1eWe3qBEgh54qlMW/Kghi3UDIFXqs+
/j81am74ega3rn6WK3BqnBq7JdqX1ukRj+13YgcoRprL8VNpOiOVQAoiQRPl6o5O
IxVeYzOzN6HMMPjTvmp7GwqJX4Nindfzkwhjx3fJZCVsykKlrY3zQPE9dmsmXwYO
eutclnc+3PpCE1KFQcoqeNdZx32NZfah5/bA8j9LVhS1eVUdRBThHEkkFsUNT3+g
pJ4g/A9CRFbOLEYtQj28FTlv0k42j97rXLsqa/J1snLaykuVc17OSRpyO8p2dppn
IVPvsoWPsTriAF8juGHg1nNh05Gyi15FwAc7CdLRxKXuXV3yNjTxwykNKJqp1I0Z
ALxEogfGAQDkx10gQF5doIQl0T8Vgvz6czRO6ija3Z+FoSGqXjPj0BTFLjXqHTS6
bbkv5vmp7I8=
=aQ1W
-----END PGP SIGNATURE-----
|