[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] OPENSSL vulnerability
- Subject: [cobalt-security] OPENSSL vulnerability
- From: Kul <WebMaster@xxxxxxx>
- Date: Tue, 30 Jul 2002 15:37:20 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
OPENSSL vulnerability
Here is a nice little problem looming for us it seems ...
Any comments from ye'o'wise ones ?
This looks like a REAL BIG problem :(
Appologies for the collection of forwarded mails, but i figured I may
not re-explain this one too well :(
--
Regards, Kul http://akakul.co.uk/
Backup Solutions: http://camelbackup.com/
FREE Scripts: http://scripts.akakul.co.uk/
Get Summarizer; the Admin tool for Webalizer
http://scripts.akakul.co.uk/summarizer/
------------------------------------------------------------------------
Subject:
OpenSSL Security Altert - Remote Buffer Overflows
From:
Ben Laurie <ben@xxxxxxxxxxxxx>
Date:
Tue, 30 Jul 2002 10:58:19 +0100
To:
OpenSSL Announce <openssl-announce@xxxxxxxxxxx>, Bugtraq
<BUGTRAQ@xxxxxxxxxxxxxxxxx>, Apache SSL Announce
<apache-sslannounce@xxxxxxxxxxxxxxxxxxxxx>
OpenSSL Security Advisory [30 July 2002]
This advisory consists of two independent advisories, merged, and is
an official OpenSSL advisory.
Advisory 1
==========
A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are
conducting a security review of OpenSSL, under the DARPA program
CHATS.
Vulnerabilities
---------------
All four of these are potentially remotely exploitable.
1. The client master key in SSL2 could be oversized and overrun a
buffer. This vulnerability was also independently discovered by
consultants at Neohapsis (http://www.neohapsis.com/) who have also
demonstrated that the vulerability is exploitable. Exploit code is
NOT available at this time.
2. The session ID supplied to a client in SSL3 could be oversized and
overrun a buffer.
3. The master key supplied to an SSL3 server could be oversized and
overrun a stack-based buffer. This issues only affects OpenSSL
0.9.7 before 0.9.7-beta3 with Kerberos enabled.
4. Various buffers for ASCII representations of integers were too
small on 64 bit platforms.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue
3, and CAN-2002-0655 to issue 4.
In addition various potential buffer overflows not known to be
exploitable have had assertions added to defend against them.
Who is affected?
----------------
Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
with SSL 2.0 disabled are not vulnerable.
SSLeay is probably also affected.
Recommendations
---------------
Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL
0.9.6e. Recompile all applications using OpenSSL to provide SSL or
TLS.
A patch for 0.9.7 is available from the OpenSSL website
(http://www.openssl.org/).
Servers can disable SSL2, alternatively disable all applications using
SSL or TLS until the patches are applied. Users of 0.9.7 pre-release
versions with Kerberos enabled will also have to disable Kerberos.
Client should be disabled altogether until the patches are applied.
Known Exploits
--------------
There are no know exploits available for these vulnerabilities. As
noted above, Neohapsis have demonstrated internally that an exploit is
possible, but have not released the exploit code.
References
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
Acknowledgements
----------------
The project leading to this advisory is sponsored by the Defense
Advanced Research Projects Agency (DARPA) and Air Force Research
Laboratory, Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.
The patch and advisory were prepared by Ben Laurie.
Advisory 2
==========
Vulnerabilities
---------------
The ASN1 parser can be confused by supplying it with certain invalid
encodings.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0659 to this issue.
Who is affected?
----------------
Any OpenSSL program which uses the ASN1 library to parse untrusted
data. This includes all SSL or TLS applications, those using S/MIME
(PKCS#7) or certificate generation routines.
Recommendations
---------------
Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile
all applications using OpenSSL.
Users of 0.9.7 pre-release versions should apply the patch or upgrade
to 0.9.7-beta3 or later. Recompile all applications using OpenSSL.
Exploits
--------
There are no known exploits for this vulnerability.
References
----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
Acknowledgements
----------------
This vulnerability was discovered by Adi Stav <stav@xxxxxxxxxxxxx>
and James Yonan <jim@xxxxxxxx> independently. The patch is partly
based on a version by Adi Stav.
The patch and advisory were prepared by Dr. Stephen Henson.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
Available for contract work.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
------------------------------------------------------------------------
Subject:
TSLSA-2002-0063 - openssl
From:
tsl@xxxxxxxxxxx (Trustix Secure Linux Advisor)
Date:
Tue, 30 Jul 2002 15:05:53 +0200
To:
bugtraq@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0063
Package name: openssl
Summary: Multiple security problems
Date: 2002-07-29
Affected versions: TSL 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description:
Several severe security problems have been found in the openssl source
code which upon the TSL openssl packages are based. Most of these
vulnerabilities have a potential for remote expoitation, even though no
exploits are currently released.
The upstream development group have provided us with patches that fixes
the problems.
These issues have been asigned the following CVE names:
CAN-2002-0655, CAN-2002-0656, and CAN-2002-0659.
More information:
<URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655>
<URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656>
<URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659>
Action:
We recommend that all systems with this package installed are upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All TSL updates are available from
<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>
Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:http://www.trustix.net/pub/Trustix/testing/>
<URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
Questions?
Check out our mailing lists:
<URI:http://www.trustix.net/support/>
Verification:
This advisory along with all TSL packages are signed with the TSL
sign key.
This key is available from:
<URI:http://www.trustix.net/TSL-GPG-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.net/errata/trustix-1.2/> and
<URI:http://www.trustix.net/errata/trustix-1.5/>
or directly at
<URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt>
MD5sums of the packages:
- --------------------------------------------------------------------------
0c51861ce4432c3f669657e2c4971c6f ./1.5/SRPMS/openssl-0.9.6-10tr.src.rpm
eb8a64dba138584b8085aec8d9ccaf0c
./1.5/RPMS/openssl-support-0.9.6-10tr.i586.rpm
9db293f035fbd82a3482ab87d3465eb2
./1.5/RPMS/openssl-python-0.9.6-10tr.i586.rpm
582d08bb63676a33da1aa89a33a05914
./1.5/RPMS/openssl-devel-0.9.6-10tr.i586.rpm
2d05569684b868cbacca9e389ded3f0f ./1.5/RPMS/openssl-0.9.6-10tr.i586.rpm
96053f774317702af40705697a2460d4 ./1.2/SRPMS/openssl-0.9.6-3tr.src.rpm
84b50e02167b61a9d3093bcc055c7b45
./1.2/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
b0c3b99917e1c69f593a74b9989a33f9 ./1.2/RPMS/openssl-0.9.6-3tr.i586.rpm
96053f774317702af40705697a2460d4 ./1.1/SRPMS/openssl-0.9.6-3tr.src.rpm
111d6f3e42c2410a11ac4704036a31ef
./1.1/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
23d4bef487e86dfff1854f3f3c6fd867 ./1.1/RPMS/openssl-0.9.6-3tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9RSsqwRTcg4BxxS0RAgv0AJsGLRMNaZ2pmZdE4NRQCLgfRpNLygCdHfkE
3bFFVLoH4NXOBs+mT/i8T4E=
=Ydxh
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Subject:
[OpenPKG-SA-2002.007] OpenPKG Security Advisory (mm)
From:
OpenPKG <openpkg@xxxxxxxxxxx>
Date:
Tue, 30 Jul 2002 15:05:33 +0200
To:
bugtraq@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2002.007 30-Jul-2002
________________________________________________________________________
Package: mm
Vulnerability: local root exploit
OpenPKG Specific: no
Affected Releases: OpenPKG 1.0 OpenPKG CURRENT
Affected Packages: <= mm-1.1.3-1.0.0 <= mm-1.1.3
Corrected Packages: >= mm-1.1.3-1.0.1 >= mm-1.2.0
Dependent Packages: apache apache
Description:
Marcus Meissner and Sebastian Krahmer discovered a race condition
on creating temporary files in the OSSP mm library. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2002-0658 [5] to the problem. The bug affects all programs which
are linked with OSSP mm. This may allow an attacker to conduct a local
root exploit. OSSP mm is often used in Apache setups using mod_ssl
and/or mod_php. Here the vulnerability can be exploited to obtain
root privilege if shell access to the Apache run-time user is already
obtained.
Please check whether you are affected by running "<prefix>/bin/rpm
-q mm". If you have the "mm" package installed and its version is
affected (see above), we recommend that you immediately upgrade it
(see Solution). Additionally, we recommend that you rebuild and
reinstall all dependent OpenPKG packages, too. [2]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4], fetch it from the OpenPKG FTP service [3] or a mirror location,
verify its integrity [1], build a corresponding binary RPM from it
and update your OpenPKG installation by applying the binary RPM [2].
For the latest OpenPKG 1.0 release, perform the following operations
to permanently fix the security problem (for other releases adjust
accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.0/UPD
ftp> get mm-1.1.3-1.0.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig mm-1.1.3-1.0.1.src.rpm
$ <prefix>/bin/rpm --rebuild mm-1.1.3-1.0.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/mm-1.1.3-1.0.1.*.rpm
Now proceed and rebuild and reinstall all dependent OpenPKG packages,
too. [6]
________________________________________________________________________
References:
[1] http://www.openpkg.org/security.html#signature
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] ftp://ftp.openpkg.org/release/1.0/UPD/
[4] ftp://ftp.openpkg.org/release/1.0/UPD/mm-1.1.3-1.0.1.src.rpm
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0658
[6] ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.4.src.rpm
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iEYEARECAAYFAj1GjiIACgkQgHWT4GPEy5+dRwCdGCpZ3TCpxh39dB0ZgbieXvLd
QiQAoOUJCijAwnAaHGdf/cVC3RhFDISy
=LA85
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Subject:
[OpenPKG-SA-2002.008] OpenPKG Security Advisory (openssl)
From:
OpenPKG <openpkg@xxxxxxxxxxx>
Date:
Tue, 30 Jul 2002 15:06:36 +0200
To:
bugtraq@xxxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2002.008 30-Jul-2002
________________________________________________________________________
Package: openssl
Vulnerability: denial of service / remote root exploit
OpenPKG Specific: no
Affected Releases: OpenPKG 1.0 OpenPKG CURRENT
Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d
Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e
Dependent Packages: apache apache
curl bind
fetchmail cadaver
imapd cpu
inn curl
links dsniff
lynx exim
mutt fetchmail
openldap imapd
openssh inn
perl-ssl links
postfix lynx
postgresql mutt
qpopper neon
samba openldap
sasl openssh
scanssh openvpn
sendmail perl-ssl
siege postfix
sitecopy postgresql
snmp qpopper
stunnel rdesktop
tcpdump samba
w3m sasl
scanssh
sendmail
siege
sitecopy
snmp
stunnel
sysmon
tcpdump
w3m
Description:
According to an official security advisory from the OpenSSL team,
there are four remotely exploitable buffer overflows that affect
various OpenSSL client and server implementations [5]. There are
also parsing problems in the ASN.1 library used by OpenSSL. The
Common Vulnerabilities and Exposures (CVE) project assigned the
ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and
CAN-2002-0659 [9] to the problems. Several of these vulnerabilities
could be used by a remote attacker to execute arbitrary code on the
target system. All could be used to create a denial of service.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution). Additionally, you have to rebuild and reinstall all
dependent OpenPKG packages, too. [2]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4], fetch it from the OpenPKG FTP service [3] or a mirror location,
verify its integrity [1], build a corresponding binary RPM from it
and update your OpenPKG installation by applying the binary RPM [2].
For the latest OpenPKG 1.0 release, perform the following operations
to permanently fix the security problem (for other releases adjust
accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.0/UPD
ftp> get openssl-0.9.6b-1.0.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm
$ <prefix>/bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm
Now proceed and rebuild and reinstall all dependent OpenPKG packages,
too (see list above).
________________________________________________________________________
References:
[1] http://www.openpkg.org/security.html#signature
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] ftp://ftp.openpkg.org/release/1.0/UPD/
[4] ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm
[5] http://www.openssl.org/news/secadv_20020730.txt
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH
4xsAoKTteo/qotFgoki3JYpuGufyp4vL
=k9ol
-----END PGP SIGNATURE-----