|
|
ESB-2006.0897 -- [Solaris] -- Security Vulnerability With RSA Signatures Affects OpenSSL Shipped With Solaris |
|
Date: 14 November 2007 Original URL: http://www.auscert.org.au/render.html?cid=1980&it=7060 References: AL-2006.0074 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0897 -- [Solaris]
Security Vulnerability With RSA Signatures Affects OpenSSL
Shipped With Solaris
15 November 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: Sun Microsystems
Operating System: Solaris 9
Solaris 10
Impact: Reduced Security
Access: Remote/Unauthenticated
CVE Names: CVE-2006-4339
Ref: AL-2006.0074
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102744-1
Revision History: November 15 2007: Updated the Contributing Factors to
provide commands that test if a
system is vulnerable.
November 14 2007: Updated the product field to include
Solaris 9.
Updated the Contributing Factors to
include all vulnerable applications
and releases.
Updated the Resolution to list the
releases that fix this
vulnerability.
December 11 2006: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102744
* Synopsis: Security Vulnerability With RSA Signatures Affects
OpenSSL Shipped With Solaris
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System
* BugIDs: 6467218
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 08-Dec-2006, 08-Nov-2007
* Date Closed: 08-Nov-2007
* Date Modified: 08-Nov-2007, 13-Nov-2007
1. Impact
A security vulnerability in the RSA signature verification
implementation in the OpenSSL product may incorrectly verify data
signed with a forged signature. This will affect applications which
make use of OpenSSL to verify RSA signatures. The direct impact to
these applications will depend on the way in which this signed data is
used.
OpenSSL is shipped with Solaris 10 (see openssl(5)). This library is
not shipped with Solaris 9, however, a number of Solaris 9
applications statically link against this library and may be affected
by these vulnerabilities. This Sun Alert provides details about the
individual patches which should be installed to update the OpenSSL
product on Solaris 10 and all potentially impacted Solaris 9
applications.
This issue is also described in the following documents:
* CERT VU#845620 at: http://www.kb.cert.org/vuls/id/845620
* CVE-2006-4339 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
Note: The issue described in this Sun Alert is specific to the OpenSSL
shipped with Solaris. Multiple Sun products are affected by this
issue. For more details please see Sun Alert 102648.
2. Contributing Factors
These issues can occur with the OpenSSL included in the following
applications and releases:
SPARC Platform
* Solaris 9 SSH without patches 113273-14 and 114356-11
* Solaris 9 Packaging utilities without patch 113713-24
* Solaris 10 without patch 121229-02
x86 Platform
* Solaris 9 SSH without patches 114357-10 and 114858-11
* Solaris 9 Packaging utilities without patch 114568-23
* Solaris 10 without patch 121230-02
Note 1: Solaris 8 is not impacted by this issue.
Note 2: Solaris 9 does not ship with OpenSSL libraries which can be
used for application linking.
Note 3: The Solaris 9 SSH patches listed above update the OpenSSL
library used by SSH to a version that is not impacted by this issue.
However, this fix is not required for Solaris 9 systems which have the
following patches installed, as the SSH that is contained in those
patches does not make use of the impacted code from the OpenSSL
library:
* Solaris 9 SPARC patches 112908-24, 113273-11,
114356-07, 117177-02 (or later revisions of these patches)
* Solaris 9 x86 patches 114263-05, 114357-07, 114858-09,
115168-11, 117178-02 (or later revisions of these patches)
Note 4: This issue is only exploitable in cases where keys with
certain properties are used. Tools such as openssl(1) (which is
shipped with Solaris 10, Solaris 9 does not include a tool which can
be used for this purpose) can be used to get the needed properties:
$ openssl x509 -pubkey -in server.crt -text
If the output contains the following lines, then signatures of this
key can be forged:
Public Key Algorithm: rsaEncryption
Exponent: 3 (0x3)
For more information about displaying public keys and certificate
signature verification, see the openssl(1) manual page on Solaris 10.
As an example of an affected application, Solaris 10 is distributed
with the Apache web server. This server can be configured to accept
connections with the HTTPS protocol. Since Apache uses OpenSSL for
cryptographic operations it may be impacted by this vulnerability
under certain circumstances.
To verify that a system running the Apache web server is configured to
accept HTTPS connections a command such as the following can be used:
$ svcprop -p httpd/ssl svc:network/http:apache2
If the above command reports "true" then Apache is configured to
accept HTTPS connections.
The following command can be used to check whether a system that is
configured to accept HTTPS connections uses certificates for client
authentication:
$ grep SSLVerifyClient /etc/apache2/ssl.conf
If the output contains the following line, then the system is
vulnerable:
SSLVerifyClient require
In such cases, an unprivileged remote user could gain access to
restricted documents served by the Apache server. This depends on the
type of certificates in use, as described above.
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited to forge a signature for trusted application
data.
4. Relief/Workaround
Until patches can be applied, sites may wish to disable the
verification of RSA signatures or only enable the verification of RSA
signatures created with RSA keys that have an exponent other than 3.
Please see the application documentation for instructions on how to
disable verification of certificates containing keys with the above
mentioned properties.
5. Resolution
These issues are addressed in the following releases:
SPARC Platform
* Solaris 9 SSH with patches 113273-14 and 114356-11 or
later
* Solaris 9 Packaging utilities with patch 113713-24 or later
* Solaris 10 with patch 121229-02 or later
x86 Platform
* Solaris 9 SSH with patches 114357-10 and 114858-11 or
later
* Solaris 9 Packaging utilities with patch 114568-23 or later
* Solaris 10 with patch 121230-02 or later
Change History
08-Nov-2007:
* State: Resolved
* Updated the Product field
* Updated Contributing Factors and Resolution sections
13-Nov-2007:
* Updated the Contributing Factors section
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRzuDfSh9+71yA2DNAQJb+wP/dc7l9D/FpZXD1ougQ9amj69P02aLax73
q90xxvB+GEcrDe6CS3S1rXIrqHk87ixXcdXMPbHW4meFuSQRCCAk7ghsPStKbKFd
vyCP0YqUm02Q6A0hx3Wsg59zs6g+nnbg+Vz0aTsKKJMIzBD694rei9J5CXnVgbAT
LSfQDlp8LCM=
=mM3c
-----END PGP SIGNATURE-----
|