copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0543.2 - UPDATED ALERT [Win][UNIX/Linux] OpenSSL: Multiple vulnerabilities

Date: 08 March 2016
References: ASB-2015.0027  ASB-2015.0044  ASB-2015.0070  ESB-2015.2193  ASB-2015.0103  ESB-2016.0251  ESB-2016.0479  ESB-2016.0544  ESB-2016.0547  ESB-2016.0560  
ESB-2016.0569  ASB-2016.0019  ESB-2016.0584  ESB-2016.0601  ESB-2016.0650  ESB-2016.0678  ESB-2016.0690  ESB-2016.0796  ESB-2016.0799  ESB-2016.0833  ESB-2016.0843  
ESB-2016.0846  ESB-2016.0871  ESB-2016.0878  ASB-2016.0036  ESB-2016.0906  ESB-2016.0917  ESB-2016.0954  ESB-2016.0960  ESB-2016.0990  ESB-2016.0991  ESB-2016.1021  
ESB-2016.1029  ESB-2016.1039  ESB-2016.1071  ESB-2016.1081  ESB-2016.1086  ESB-2016.1098  ESB-2016.1116  ESB-2016.1119  ESB-2016.1154  ESB-2016.1172  ESB-2016.1199  
ESB-2016.1228  ESB-2016.1243  ESB-2016.1254  ESB-2016.1263  ESB-2016.1321  ESB-2016.1322  ESB-2016.1380  ESB-2016.1405  ESB-2016.1485  ESB-2016.1528  ESB-2016.1537  
ESB-2016.1538  ESB-2016.1655  ESB-2016.1657  ESB-2016.1694  ESB-2016.1789  ESB-2016.1844  ASB-2016.0079  ESB-2016.1895  ESB-2016.1943  ESB-2016.2028  ESB-2016.2031  
ESB-2016.2037  ESB-2016.2083  ESB-2016.2116  ESB-2016.2196  ESB-2016.2199  ESB-2016.2411  ESB-2016.2439  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2016.0543.2
                OpenSSL Security Advisory [1st March 2016]
                               8 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenSSL
Publisher:         OpenSSL
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2842 CVE-2016-0800 CVE-2016-0799
                   CVE-2016-0798 CVE-2016-0797 CVE-2016-0705
                   CVE-2016-0704 CVE-2016-0703 CVE-2016-0702
                   CVE-2015-3197 CVE-2015-0293 

Reference:         ESB-2016.0479
                   ESB-2016.0251
                   ASB-2015.0103
                   ASB-2015.0070
                   ASB-2015.0044
                   ASB-2015.0027
                   ESB-2015.2193

Original Bulletin: 
   https://www.openssl.org/news/secadv/20160301.txt

Comment: NVD released information about a new vulnerability affecting OpenSSL
         (CVE-2016-2842). NVD advises the vulnerability is due to the absence
         of memory allocations success verification in openssl 1.0.1. 
         Potential impacts include remote denial of service and code 
         execution.

Revision History:  March 8 2016: Introduced new vulnerability CVE-2016-2842 
                                 (See comment)
                   March 2 2016: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

OpenSSL Security Advisory [1st March 2016]
=========================================

NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers.  We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176


Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================

Severity: High

A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle.  Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).

Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).

Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed.  Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.

OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:

SSLv2 is now by default disabled at build-time.  Builds that are not configured
with "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:

   SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
   or
   SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.

In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL.  Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and
Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell
of OpenSSL.


Double-free in DSA code (CVE-2016-0705)
=======================================

Severity: Low

A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources.  This scenario is considered
rare.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 7th 2016 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson
of OpenSSL.


Memory leak in SRP database lookups (CVE-2016-0798)
===================================================

Severity: Low

The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no way of
distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.  Servers that do not configure SRP, or
configure SRP but do not configure a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured
a seed.  Applications are advised to migrate to
SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong
guarantees about the indistinguishability of valid and invalid
logins. In particular, computations are currently not carried out in
constant time.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was discovered on February 23rd 2016 by Emilia Käsper of
the OpenSSL development team. Emilia Käsper also developed the fix.


BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
======================================================================

Severity: Low

In the BN_hex2bn function the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values
of |i| this can result in |bn_expand| not allocating any memory because |i * 4|
is negative. This can leave the internal BIGNUM data field as NULL leading to a
subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4|
could be a positive value smaller than |i|. In this case memory is allocated to
the internal BIGNUM data field, but it is insufficiently sized leading to heap
corruption. A similar issue exists in BN_dec2bn. This could have security
consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with
very large untrusted hex/dec data. This is anticipated to be a rare occurrence.

All OpenSSL internal usage of these functions use data that is not expected to
be untrusted, e.g. config file data or application command line arguments. If
user developed applications generate config file data based on untrusted data
then it is possible that this could also lead to security consequences. This is
also anticipated to be rare.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 19th 2016 by Guido Vranken.  The
fix was developed by Matt Caswell of the OpenSSL development team.

Fix memory issues in BIO_*printf functions (CVE-2016-0799)
==========================================================

Severity: Low

The internal |fmtstr| function used in processing a "%s" format string in the
BIO_*printf functions could overflow while calculating the length of a string
and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to an OOB
memory location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size of a
buffer to be allocated is greater than INT_MAX. E.g. this could be in processing
a very long "%s" format string. Memory leaks can also occur.

The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data is
passed to the BIO_*printf functions. If applications use these functions in this
way then they could be vulnerable. OpenSSL itself uses these functions when
printing out human-readable dumps of ASN.1 data. Therefore applications that
print this data could be vulnerable if the data is from untrusted sources.
OpenSSL command line applications could also be vulnerable where they print out
ASN.1 data, or if untrusted data is passed as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on February 23rd by Guido Vranken.  The
fix was developed by Matt Caswell of the OpenSSL development team.

Side channel attack on modular exponentiation (CVE-2016-0702)
=============================================================

Severity: Low

A side-channel attack was found which makes use of cache-bank conflicts on the
Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA
keys.  The ability to exploit this issue is limited as it relies on an attacker
who has control of code in a thread running on the same hyper-threaded core as
the victim thread which is performing decryptions.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s

This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The
University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv
University, and Nadia Heninger, University of Pennsylvania with more
information at http://cachebleed.info.  The fix was developed by Andy Polyakov
of OpenSSL.


Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
================================================================

Severity: High

This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address vulnerability CVE-2015-0293.

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation.

More importantly, this leads to a more efficient version of DROWN that is
effective against non-export ciphersuites, and requires no significant
computation.

This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.  It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).

This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan.  The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015.  The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).


Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
==============================================

Severity: Moderate

This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address the vulnerability CVE-2015-0293.

s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites.  This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.

This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.  It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).

This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan.  The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015.  The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.

Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those
versions are no longer receiving security updates.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160301.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVt5BLn6ZAP0PgtI9AQIPHxAAuj4vItw5FvUwrm+DOkYnrSETKwIUnAoM
GMpGYJDFqTEItgJxAANXBVUTYrdzSXMgVu4R7U5qAGENxXwHA1trlFot0KSRna3y
UOZQLn85ImCe+RucqD9FYgQItrR8CsPDofmYHt2Ys9IvyP3DjNfd4WPRciL1JlBW
7Y+2EPHo+60q3Esy+gRsoWGWN3MiMxxbW7/HHXQB8wc35tMIniXyff5JLC3WpbQ/
ZcpDGP/+b3HcvTcA9L3eXQ28e1zG+/ytv4UFF+XETMDaBIfoOvKlP4TPdZP6Y4C7
dIQEiPFNfAIJkWST2tGiE23XRJTsa14pQgNHCiBnpEvSQLWGCUJqWpU+aiXwA0jQ
nU7BfSOj5Tuylw4aHk2RSKbONZQnNOzXfnFJpr/ZhHgVfqDzfIJ6I6li7nP8dpvZ
zgOujdOpsfhLyxGofdOI9yAmtMEOFuKx4HCndx727tBWU1lu3N3UhQsb/4+aOpFC
iBrqxymN+Aq5eRKKToJj136OX3e5q9sjsRRoK/BidglYS9cycLQD8zEd3yw2/3mw
FsnXHFY8XLqZVXTDTZOg8oSjuvKeqs0RG9G7m7CvIPbZBcYJRc7B9N3YnTUW2h0C
sWn/1dX0t7ULOdDWLqEgkiPjBjhEgcf73rOkqkcLJUtxepzJPHdWt+NR/loRA3yn
P7abN+JAcPM=
=horH
-----END PGP SIGNATURE-----