Date: 31 July 2002
References: ESB-2002.377 ESB-2002.395 ESB-2002.369 ESB-2002.374 ESB-2002.375 ESB-2002.482 ESB-2002.396 ESB-2002.405 ESB-2002.510 ESB-2002.521
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.06 AUSCERT Advisory
OpenSSL Vulnerabilities
31 July 2002
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that there are multiple buffer overflows
in some versions of the OpenSSL package.
This vulnerability may allow remote attackers to execute arbitrary code
or cause a denial of service. AusCERT has not received reports of the
vulnerabilities being actively exploited.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible. This advisory will be updated as more information becomes
available.
- ---------------------------------------------------------------------------
1. Description
OpenSSL is an implementation of the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols. There are four buffer
overflows that affect various OpenSSL client and server
implementations. Several of these vulnerabilities could be used by
a remote attacker to execute arbitrary code on the vulnerable systems.
These vulnerabilities could also be used to cause a denial of service.
Vulnerable products include:
o OpenSSL 0.9.6d or earlier (including pre-release 0.9.7-beta2 or
earlier)
o OpenSSL pre-release 0.9.7-beta2 with Kerberos enabled
o SSLeay
and possibly others. Refer to the OpenSSL Security Advisory [4.1]
referenced below for more information.
Details of the vulnerabilities are:
o OpenSSL servers prior to 0.9.6e (including pre-release 0.9.7-beta2)
contain a buffer overflow during the SSL2 handshake process
o OpenSSL clients prior to 0.9.6e (including pre-release 0.9.7-beta2)
using SSL3 contain a buffer overflow during the SSL3 handshake
process
o OpenSSL servers running the OpenSSL pre-release version of 0.9.7
with Kerberos enabled contain a remotely exploitable buffer
overflow vulnerability during the SSL3 handshake process
o Some versions of OpenSSL running on 64 bit platforms prior to
version 0.9.6e, including pre-release version 0.9.7-beta2, contain
multiple buffers overflows in buffers that are used to hold ASCII
representations of integers
Separate to these buffer overflows, several ASN.1 encoding problems
have also been reported in the ASN.1 library used by the OpenSSL
package.
It is not yet known if these encoding problems affect other SSL
implementations, but the OpenSSL Project believes they represent
implementation-specific defects and not problems with ASN.1 encoding
protocol in general. Affected components include SSL or TLS
applications, as well as S/MIME (PKCS#7) and certificate creation
routines and may lead in application instabilities.
2. Impact
An attacker may be able to remotely execute arbitrary code, or cause
denial of service, on a vulnerable server or client system.
3. Solution
The OpenSSL Project has released OpenSSL 0.9.6e which will contain
fixes for all of these identified issues. Additionally, a patch has
been released for this vulnerability for OpenSSL 0.9.6d and OpenSSL
0.9.7 beta 2. It is recommended that vulnerable systems should be
patched or upgraded to OpenSSL 0.9.6e as soon as possible. All
applications using OpenSSL should be recompiled to provide SSL or TLS.
Patches for OpenSSL 0.9.6d and OpenSSL 0.9.7 beta 2 can be found at:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt
http://www.openssl.org/news/patch_20020730_0_9_7.txt
Source for OpenSSL 0.9.6e can be found at:
http://www.openssl.org/source/
Further information can be found in the security bulletin [4.1]
released by the OpenSSL Project. System administrators are encouraged
to monitor their SSL enabled systems for suspicious traffic.
4. Further Information
Further technical details of this vulnerability are included in the
OpenSSL Security Advisory [4.1].
[4.1] OpenSSL Security Advisory
http://www.openssl.org/news/secadv_20020730.txt
- ---------------------------------------------------------------------------
AusCERT would like to thank the CERT Coordination Center (CERT/CC)
(http://www.cert.org) for allowing use of their materials in assembling
the information contained in this advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPUeh3Ch9+71yA2DNAQHWVwP+IU4xc3xHSw+sa/K8bmex19QJ0JXz/7S8
Y6PCHi9P/ddAhIUHGkX4WdgUJKMdgktTFpizH6QWTDadMhI7tfGb+KlGlZ4ueVlR
CJ0MABaJQ7UvfFrQpK/H8TOUrZZmGVXFkFu65m9VqUBAZgv4c9REJa7LfBgHshFd
mJaLYLveV9k=
=ijN8
-----END PGP SIGNATURE-----
|