Date: 30 September 2003
References: ESB-2003.0689 ESB-2003.0690 ESB-2003.0691 ESB-2003.0693 ESB-2003.0697 ESB-2003.0698 ESB-2003.0700 ESB-2003.0701 ESB-2003.0703 ESB-2003.0708
ESB-2003.0710 ESB-2003.0715 ESB-2003.0717 ESB-2003.0720 ESB-2003.0740 ESB-2003.0765 ESB-2003.0834 ESB-2003.0871 ESB-2004.0024 ESB-2004.0063 ESB-2004.0064
ESB-2004.0118 ESB-2004.0160 ESB-2004.0200 ESB-2004.0509
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.18 -- AUSCERT ALERT
Vulnerability Issues in Implementations of the TLS and SSL Protocols
NISCC Vulnerability Advisory - 006489/TLS
30 September 2003
===========================================================================
AusCERT Alert Summary
---------------------
Publisher: NISCC
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
Due to the severity of this vulnerability and the wide deployment of SSL
(e.g. in HTTPS), AusCERT is releasing this information as an AusCERT
Alert. AusCERT recommends that sites which use a vulnerable implementation
(for details, see the "Vendor Information" section) should either upgrade
or apply the patch as described below.
AusCERT will continue to monitor this vulnerability and any exploit
activity. AusCERT members will be updated as information becomes
available.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) ALERT - 28/03 dated 30.09.03 Time: 13:00
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- - ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------
Title
=====
NISCC Vulnerability Advisory - 006489/TLS:
Vulnerability Issues in Implementations of the TLS and SSL Protocols
Detail
======
Version Information
- - -------------------
Advisory Reference 006489/TLS
Release Date 30 September 2003
Last Revision 30 September 2003
Version Number 1.0
What is affected?
- - -----------------
The vulnerabilities described in this advisory affect the TLS and SSL protocols,
which are typically used to provide security services to a range of Internet
application protocols and in support of web and email applications.
Many vendors include support for TLS/SSL in their products.
Severity
- - --------
The severity of these vulnerabilities varies by vendor. In some cases, they
could allow an attacker to create a Denial of Service condition. It may be
possible for an attacker to execute code as a result of a buffer overflow, but
this has not been demonstrated.
TLS/SSL client applications may be harder to attack than server applications,
since a client must first be directed to a hostile site before exploitation can
occur.
Summary
- - -------
During 2002 the University of Oulu Security Programming Group (OUSPG) discovered
a number of implementation specific vulnerabilities in the Simple Network
Management Protocol (SNMP). NISCC has performed and commissioned further work
to identify implementation specific vulnerabilities in related protocols that
are critical to the UK Critical National Infrastructure. The TLS (transport
layer security) and SSL (secure sockets layer) protocols, which add
communications protection to a range of Internet protocols have been studied in
this context.
NISCC has produced a test suite for TLS/SSL and has employed it to validate a
number of products from different vendors. The test results have been
confirmed, and the affected vendors have been contacted with the test results.
These vendors' product lines cover a great deal of the existing critical
information infrastructure worldwide and have therefore been addressed as a
priority. However, NISCC has subsequently contacted other vendors whose
products employ TLS/SSL and provided them with tools with which to test their
implementations.
Details
- - -------
TLS and SSL are intermediate protocols layered onto a TCP connection used to
provide additional security to higher level protocols. Higher level protocols,
particularly application protocols such as web services or email, may be layered
on top of a TLS/SSL connection.
TLS is based on SSL 3.0, and although the two are not interoperable,
implementations of TLS 1.0 are likely to support SSL 3.0. For the purpose of
this discussion the two will be considered equivalent. TLS and SSL are not
Abstract Syntax Notation One based protocols, and define their own presentation
language as part of the TLS/SSL specification. However, they do depend on a
number of ASN.1 objects used as part of the protocol exchange.
If one of the parties involved in a TLS/SSL connection sends an ASN.1 element
that cannot be handled properly, the behaviour of the receiving application may
be unpredictable. For example, it has been found that a vulnerability can arise
where one of the parties generates an exceptional ASN.1 element as part of a
client certificate. A Denial of Service may arise in the receiving application,
or there may be an opportunity for further exploitation.
Vendor specific information will be released as it becomes available, but information
will only be released with vendors permission. Subscribers are advised to check the
following URL regularly for updates:
http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
[Please note that revisions to this advisory will not be notified by email.]
Solution
- - --------
Please refer to the Vendor Information section of this advisory for platform
specific remediation.
Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently available.
Please visit the web site, http://www.uniras.gov.uk/vuls/2003/006489/tls.htm,
in order to check for updates.
Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:
Email vulteam@niscc.gov.uk
Please quote the advisory reference in the subject line.
Telephone +44 (0) 20 7821 1330 Ext 4511
Monday - Friday 08:30 - 17:00 hrs
Fax +44 (0) 20 7821 1686
Post Vulnerability Management Team
NISCC
PO Box 832
London
SW1P 1BG
We encourage those who wish to communicate via email to make use of our PGP key.
This is available from
http://www.uniras.gov.uk/UNIRAS.asc
Please note that UK government protectively marked material should not be sent
to the email address above.
If you wish to be added to our email distribution list please email your request
to uniras@niscc.gov.uk.
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure Security
Co-ordination Centre, please visit
http://www.niscc.gov.uk/aboutniscc/index.htm.
Reference to any specific commercial product, process, or service by trade name,
trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NISCC. The views and opinions of
authors expressed within this notice shall not be used for advertising or
product endorsement purposes.
Neither shall NISCC accept responsibility for any errors or omissions contained
within this briefing notice. In particular, they shall not be liable for any
loss or damage whatsoever, arising from or in connection with the usage of
information contained within this notice.
(C) 2003 Crown Copyright
<End of NISCC Vulnerability Advisory>
- - ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
uniras@niscc.gov.uk
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQCVAwUBP3lntYpao72zK539AQFHUAQArG+ANfQy9eeM2xAYUV98LqGM774Ic4ky
g32FRIFxeNPQ0i4MocKCHicPtJ9obm/DyrYWk4rEgL6hFmbxbduGjJqFtp+T6Mow
XxAQmiqr7jRhnis6jq2qhiqw9ezhZUKJriQMiGdUDC0PI38aV/qknIA8Vf/Ygzvk
ALPkl/bWOxk=
=bubP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This alert is provided as a service to AusCERT's members. As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content. The decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation's site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
NOTE: This is only the original release of the alert. It may not be
updated when updates to the original are made. If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the alert above. If you have any questions or need further information,
please contact them directly.
Previous advisories, alerts and external security bulletins can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1977
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP3lyyih9+71yA2DNAQHUAwP+NTKoBtO500fzpu8s/e4R14WqXkzulBbp
H+TrIzrJEXk/+Rorl6A+yoGf2+/YYj1q4kC5CYFeNpkNcMBKCyhZ+pk6Cjg3mOsY
f4+pYWfkxb+lFd9qPXW0tqDgMyO0hTw8vToVo+bwfft5ZX5klJRaLWSBoHSbEiqH
rM+I+quXagA=
=7FXf
-----END PGP SIGNATURE-----
|