[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] DoS attacks in openssl

To: linux-security@sfu.ca
Subject: [linux-security] DoS attacks in openssl
From: Martin Siegert <siegert@sfu.ca>
Date: Fri, 19 Mar 2004 14:48:57 -0800
User-Agent: Mutt/1.4.1i

Topic
=====
several vulnerabilities in the OpenSSL SSL/TLS library allow DoS attack

Problem Description
===================
OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols and includes a general purpose cryptographic
library. SSL and TLS are commonly used to provide authentication,
encryption, integrity, and non-repudiation services to network
applications including SSH, HTTP, IMAP, POP3, SMTP, and LDAP.

Three vulnerabilities in the OpenSSL SSL/TLS library (libssl) have been
reported. Any application or system that uses this library may be affected.

1) OpenSSL contains null-pointer assignment in do_change_cipher_spec()
   function

   Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to
   0.9.7c inclusive contain a null-pointer assignment in the
   do_change_cipher_spec() function. By performing a specially crafted
   SSL/TLS handshake, an attacker could cause OpenSSL to crash, which
   may result in a denial of service in the target application.

2) OpenSSL does not adequately validate length of Kerberos tickets during
   SSL/TLS handshake

   Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately
   validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS
   handshake. OpenSSL is not configured to use Kerberos by default. By
   performing a specially crafted SSL/TLS handshake with an OpenSSL
   system configured to use Kerberos, an attacker could cause OpenSSL
   to crash, which may result in a denial of service in the target
   application. OpenSSL 0.9.6 is not affected.

3) OpenSSL does not properly handle unknown message types

   OpenSSL prior to version 0.9.6d does not properly handle unknown
   SSL/TLS message types. An attacker could cause the application using
   OpenSSL to enter an infinite loop, which may result in a denial of
   service in the target application. OpenSSL 0.9.7 is not affected.

Affected Versions
=================
1) OpenSSL versions 0.9.6c - 0.9.6k inclusive and 0.9.7a - 0.9.7c inclusive
2) OpenSSL versions 0.9.7a - 0.9.7c inclusive (only if configured to use
   Kerberos)
3) OpenSSL versions prior to 0.9.6d

Solution
========
upgrade to OpenSSL version 0.9.6m or version 0.9.7d (or patched version
for your distribution).
Recompile all applications that are statically linked to OpenSSL libraries.

SuSE-8.0
--------
rpm -Fvh openssl-0.9.6c-87.i386.rpm openssl-devel-0.9.6c-87.i386.rpm

SuSE-8.1
--------
rpm -Fvh openssl-0.9.6g-114.i586.rpm openssl-devel-0.9.6g-114.i586.rpm

SuSE-8.2
--------
rpm -Fvh openssl-0.9.6i-21.i586.rpm openssl-devel-0.9.6i-21.i586.rpm

SuSE-9.0
--------
rpm -Fvh openssl-0.9.7b-133.i586.rpm openssl-devel-0.9.7b-133.i586.rpm

RedHat 9
--------
rpm -Fvh openssl-0.9.7a-20.2.<arch>.rpm \
         openssl-devel-0.9.7a-20.2.i386.rpm \
         openssl-perl-0.9.7a-20.2.i386.rpm \
         openssl096-0.9.6-25.9.i386.rpm \
         openssl096b-0.9.6b-15.i386.rpm

where <arch> is either i386 or i686.

SFU 1.0 (RH 7.3)
----------------
[RPM packages available from ftp.sfu.ca/pub/linux/1.0/RPMS or via NFS
from sphinx]

rpm -Fvh openssl-0.9.6b-36.7.<arch>.rpm \
         openssl-devel-0.9.6b-36.7.i386.rpm \
         openssl-perl-0.9.6b-36.7.i386.rpm \
         openssl096-0.9.6-25.7.i386.rpm \
         openssl095a-0.9.5a-25.7.3.i386.rpm

where <arch> is either i386 or i686.

Debian 3.0 (woody)
------------------
upgrade to openssl_0.9.6c-2.woody.6_i386.deb,
           libssl0.9.6_0.9.6c-2.woody.6_i386.deb,
           libssl-dev_0.9.6c-2.woody.6_i386.deb,
           libssl095a_0.9.5a-6.woody.5_i386.deb,
           libssl09_0.9.4-6.woody.3_i386.deb,
           ssleay_0.9.6c-2.woody.6_all.deb

Mandrake 9.0
------------
rpm -Fvh openssl-0.9.6i-1.7.90mdk.i586.rpm \
         libopenssl0-0.9.6i-1.7.90mdk.i586.rpm \
         libopenssl0-devel-0.9.6i-1.7.90mdk.i586.rpm \
         libopenssl0-static-devel-0.9.6i-1.7.90mdk.i586.rpm

Mandrake 9.1
------------
rpm -Fvh openssl-0.9.7a-1.3.91mdk.i586.rpm \
         libopenssl0.9.7-0.9.7a-1.3.91mdk.i586.rpm \
         libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.i586.rpm \
         libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.i586.rpm \
         libopenssl0-0.9.6i-1.3.91mdk.i586.rpm

Mandrake 9.2
------------
rpm -Fvh openssl-0.9.7b-4.2.92mdk.i586.rpm \
         libopenssl0.9.7-0.9.7b-4.2.92mdk.i586.rpm \
         libopenssl0.9.7-devel-0.9.7b-4.2.92mdk.i586.rpm \
         libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk.i586.rpm

Prev by Date: [linux-security] mod_python vulnerability allows DoS attack
Next by Date: [linux-security] cookie handling flaw in kdelibs
Prev by thread: [linux-security] cookie handling flaw in kdelibs
Next by thread: [linux-security] mod_python vulnerability allows DoS attack
Index(es):
- Date
- Thread