Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: New OpenSSL releases fix denial of service attacks [17 March 2004]
- From: Howell, Paul
- Date: Wed Mar 17 09:47:46 2004
-----Original Message-----
From: Mark J Cox [mailto:mark@awe.com]
Sent: Wednesday, March 17, 2004 8:12 AM
To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
Subject: New OpenSSL releases fix denial of service attacks [17 March 2004]
-----BEGIN PGP SIGNED MESSAGE-----
OpenSSL Security Advisory [17 March 2004]
Updated versions of OpenSSL are now available which correct two
security issues:
1. Null-pointer assignment during SSL handshake
===============================================
Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a null-pointer assignment in the
do_change_cipher_spec() function. A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server that used the OpenSSL
library in such a way as to cause OpenSSL to crash. Depending on the
application this could lead to a denial of service.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0079 to this issue.
All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to
0.9.7c inclusive are affected by this issue. Any application that makes use
of OpenSSL's SSL/TLS library may be affected. Please contact your
application vendor for details.
2. Out-of-bounds read affects Kerberos ciphersuites
===================================================
Stephen Henson discovered a flaw in SSL/TLS handshaking code when using
Kerberos ciphersuites. A remote attacker could perform a carefully crafted
SSL/TLS handshake against a server configured to use Kerberos ciphersuites
in such a way as to cause OpenSSL to crash. Most applications have no
ability to use Kerberos ciphersuites and will therefore be unaffected.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0112 to this issue.
Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue.
Any application that makes use of OpenSSL's SSL/TLS library may be affected.
Please contact your application vendor for details.
Recommendations
- ---------------
Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications
statically linked to OpenSSL libraries.
OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under http://www.openssl.org/source/mirror.html):
ftp://ftp.openssl.org/source/
The distribution file names are:
o openssl-0.9.7d.tar.gz
MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
o openssl-0.9.6m.tar.gz [normal]
MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
o openssl-engine-0.9.6m.tar.gz [engine]
MD5 checksum: 4c39d2524bd466180f9077f8efddac8c
The checksums were calculated using the following command:
openssl md5 openssl-0.9*.tar.gz
Credits
- -------
Patches for these issues were created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team. The OpenSSL team would like
to thank Codenomicon for supplying the TLS Test Tool which was used to
discover these vulnerabilities, and Joe Orton of Red Hat for performing the
majority of the testing.
References
- ----------
http://www.codenomicon.com/testtools/tls/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20040317.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd
G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ
pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j
Ez3jSlsbRRA=
=wvAZ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
