<<< Date Index >>>     <<< Thread Index >>>

CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations



-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS
Implementations

   Original issue date: October 1, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.


Systems Affected

     * OpenSSL versions prior to 0.9.7c and 0.9.6k
     * Multiple SSL/TLS implementations
     * SSLeay library


Overview

   There are multiple vulnerabilities in different implementations of the
   Secure   Sockets  Layer  (SSL)  and  Transport  Layer  Security  (TLS)
   protocols.  These  vulnerabilities  occur primarily in Abstract Syntax
   Notation  One  (ASN.1)  parsing code. The most serious vulnerabilities
   may  allow  a  remote  attacker  to execute arbitrary code. The common
   impact is denial of service.


I. Description

   SSL  and  TLS  are  used  to  provide  authentication, encryption, and
   integrity  services to higher-level network applications such as HTTP.
   Cryptographic   elements   used   by  the  protocols,  such  as  X.509
   certificates, are represented as ASN.1 objects. In order to encode and
   decode   these   objects,   many  SSL  and  TLS  implementations  (and
   cryptographic libraries) include ASN.1 parsers.

   OpenSSL is a widely-deployed open source implementation of the SSL and
   TLS  protocols.  OpenSSL also provides a general-purpose cryptographic
   library that includes an ASN.1 parser.

   The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
   has   developed   a  test  suite  to  analyze  the  way  SSL  and  TLS
   implementations  handle  exceptional ASN.1 objects contained in client
   and  server  certificate  messages. Although the test suite focuses on
   certificate  messages,  any  untrusted ASN.1 element may be used as an
   attack  vector.  An advisory from OpenSSL describes as vulnerable "Any
   application  that  makes  use  of  OpenSSL's  ASN1  library  to  parse
   untrusted data. This includes all SSL or TLS applications, those using
   S/MIME (PKCS#7) or certificate generation routines."

   There are two certificate message attack vectors. An attacker can send
   crafted client certificate messages to a server, or attempt to cause a
   client  to  connect to a server under the attacker's control. When the
   client connects, the attacker can deliver a crafted server certificate
   message.  Note that the standards for TLS (RFC 2246) and SSL 3.0 state
   that  a  client  certificate  message  "...is  only sent if the server
   requests a certificate." To reduce exposure to these types of attacks,
   an   SSL/TLS  server  should  ignore  unsolicited  client  certificate
   messages (VU#732952).

   NISCC  has  published  two  advisories  describing  vulnerabilities in
   OpenSSL    (006489/OpenSSL)    and   other   SSL/TLS   implementations
   (006489/TLS).  The  second advisory covers multiple vulnerabilities in
   many  vendors'  products.  Further  details,  including  vendor status
   information, are available in the following vulnerability notes.

    VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation
    A vulnerability  in  the way OpenSSL deallocates memory used to store
    ASN.1 structures  could  allow a remote attacker to execute arbitrary
    code with the privileges of the process using the OpenSSL library.
    (Other resources: NISCC/006490/OpenSSL/3, OpenSSL #1, CAN-2003-0545)

    VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1)
    An integer  overflow  vulnerability  in the way OpenSSL handles ASN.1
    tags could allow a remote attacker to cause a denial of service.
    (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0543)

    VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2)
    A second  integer  overflow  vulnerability in the way OpenSSL handles
    ASN.1 tags could allow a remote attacker to cause a denial of service.
    (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0544)

    VU#686224 -  OpenSSL does not securely handle invalid public key when
    configured to ignore errors
    A vulnerability  in  the  way  OpenSSL handles invalid public keys in
    client certificate  messages could allow a remote attacker to cause a
    denial of service. This vulnerability requires as a precondition that
    an  application  is  configured  to ignore public key decoding errors,
    which is not typically the case on production systems.
    (Other resources: NISCC/006490/OpenSSL/2, OpenSSL #3)

    VU#732952 - OpenSSL accepts unsolicited client certificate messages
    OpenSSL accepts  unsolicited  client certificate messages. This could
    allow an  attacker  to exploit underlying flaws in client certificate
    handling, such as the vulnerabilities listed above.
    (Other resources: OpenSSL #4)

    VU#104280 - Multiple vulnerabilities in SSL/TLS implementations
    Multiple  vulnerabilities   exist   in   different  vendors'  SSL/TLS
    implementations. The  impacts of these vulnerabilities include remote
    execution of  arbitrary  code,  denial  of service, and disclosure of
    sensitive  information.   VU#104280   covers   an  undefined  set  of
    vulnerabilities  that   affect   SSL/TLS  implementations  from  many
    different vendors.
    (Other resources: NISCC/006490/TLS)


II. Impact

   The  impacts  of  these  vulnerabilities vary. In almost all, a remote
   attacker   could   cause  a  denial  of  service.  For  at  least  one
   vulnerability in OpenSSL (VU#935264), a remote attacker may be able to
   execute  arbitrary  code.  Please see Appendix A, the Systems Affected
   section of VU#104280, and the OpenSSL vulnerability notes for details.


III. Solution

Upgrade or apply a patch

   To  resolve  the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or
   OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed by
   your  vendor. Recompile any applications that are statically linked to
   OpenSSL libraries.

   For  solutions  for  the  other  SSL/TLS  vulnerabilities  covered  by
   VU#104280,  please  see Appendix A and the Systems Affected section of
   VU#104280.


Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information, this section is updated, and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have  not  received  their  authenticated,  direct  statement. Further
   vendor  information  is  available in the Systems Affected sections of
   the vulnerability notes listed above.

AppGate Network Security AB

     The  default  configuration  of  AppGate is not vulnerable. However
     some  extra  functionality which administrators can enable manually
     may  cause  the system to become vulnerable. For more details check
     the AppGate support pages at http://www.appgate.com/support.

Apple Computer Inc.

     Apple:  Vulnerable.  This  is  fixed  in  Mac  OS X 10.2.8 which is
     available from http://www.apple.com/support/

Clavister

     Clavister Firewall: Not vulnerable
     As of version 8.3, Clavister Firewall implements an optional HTTP/S
     server  for  purposes  of  user authentication. However, since this
     implementation  does  not  support  client  certificates and has no
     ASN.1 parser code, there can be no ASN.1-related vulnerabilities as
     far as SSL is concerned.

     Earlier  versions  of  Clavister  Firewall do not implement any SSL
     services.

Cray Inc.

     Cray  Inc.  supports  OpenSSL  through its Cray Open Software (COS)
     package.  The OpenSSL version in COS 3.4 and earlier is vulnerable.
     Spr 726919 has been opened to address this.

F5 Networks

     F5  products  BIG-IP,  3-DNS, ISMan and Firepass are vulnerable. F5
     will  have ready security patches for each of these products. Go to
     ask.f5.com  for  the appropriate security response instructions for
     your product.

Hitachi

     Hitachi Web Server is NOT Vulnerable to this issue.

IBM

     [AIX]
     The  AIX  Security  Team  is  aware of the issues discussed in CERT
     Vulnerability  Notes VU#255484, VU#380864, VU#686224, VU#935264 and
     VU#732952.

     OpenSSL  is available for AIX via the AIX Toolbox for Linux. Please
     note that the Toolbox is made available "as-is" and is unwarranted.
     The  Toolbox  ships  with OpenSSL 0.9.6g which is vulnerable to the
     issues  referenced  above.  A  patched  version  of OpenSSL will be
     provided  shortly and this vendor statement will be updated at that
     time.

     Please  note  that  OpenSSH,  which  is  made available through the
     Expansion Pack is not vulnerable to these issues.

     [eServer]
     IBM eServer Platform Response
     For information related to this and other published CERT Advisories
     that  may  relate  to  the IBM eServer Platforms (xSeries, iSeries,
     pSeries, and zSeries) please go to
     https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/
     securityalerts?OpenDocument&pathID=

     In  order  to  access  this information you will require a Resource
     Link    ID.    To    subscribe    to    Resource    Link    go   to
     http://app-06.www.ibm.com/servers/resourcelink and follow the steps
     for registration.

     All questions should be refered to servsec@xxxxxxxxxxx

Ingrian Networks

     Ingrian  Networks  is  aware  of this vulnerablity and will issue a
     security advisory when our investigation is complete.

Juniper Networks

     The  OpenSSL  code  included in domestic versions of JUNOS Internet
     Software  that  runs  on  all  M-series  and  T-series  routers  is
     susceptible  to  these vulnerabilities. The SSL library included in
     Releases  2.x  and  3.x  of  SDX provisioning software for E-series
     routers is susceptible to these vulnerabilities.

     Solution Implementation
     Corrections  for  all the above vulnerabilities are included in all
     versions  of  JUNOS  built  on  or after October 2, 2003. Customers
     should  contact Juniper Networks Technical Assistance Center (JTAC)
     for instructions on obtaining and installing the corrected code.
     SDX  software  built  on  or  after  October  2,  2003, contain SSL
     libraries  with  corrected  code.  Contact JTAC for instructions on
     obtaining and installing the corrected code.

MandrakeSoft

     The   vulnerabilities   referenced  by  VU#255484,  VU#380864,  and
     VU#935264   have   been  corrected  by  packages  released  in  our
     MDKSA-2003:098 advisory.

NEC Corporation

     Subject: VU#104280
     sent on October 1, 2003

     [Server Products]
     * EWS/UP 48 Series operating system
       - is NOT vulnerable.
       It doesn't include SSL/TLS implementation.

Novell

     Novell  is reviewing our application portfolio to identify products
     affected  by the vulnerabilities reported by the NISCC. We have the
     patched  OpenSSL  code and are reviewing and testing it internally,
     and preparing patches for our products that are affected. We expect
     the  first  patches to become available via our Security Alerts web
     site (http://support.novell.com/security-alerts) during the week of
     6 Oct 2003. Customers are urged to monitor our web site for patches
     to   versions  of  our  products  that  they  use  and  apply  them
     expeditiously.

OpenSSL

     Please see OpenSSL Security Advisory [30 September 2003].

Openwall GNU/*/Linux

     Openwall  GNU/*/Linux  currently uses OpenSSL 0.9.6 branch and thus
     was  affected  by the ASN.1 parsing and client certificate handling
     vulnerabilities pertaining to those versions of OpenSSL. It was not
     affected   by   the   potentially  more  serious  incorrect  memory
     deallocation  vulnerability  (VU#935264, CVE CAN-2003-0545) that is
     specific to OpenSSL 0.9.7.

     Owl-current  as  of  2003/10/01 has been updated to OpenSSL 0.9.6k,
     thus correcting the vulnerabilities.

Red Hat

     Red  Hat  distributes  OpenSSL  0.9.6  in  various  Red  Hat  Linux
     distributions  and  with  the Stronghold secure web server. Updated
     packages  which  contain  backported  patches  for these issues are
     available  along with our advisories at the URL below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Enterprise Linux:
     http://rhn.redhat.com/errata/RHSA-2003-293.html

     Red Hat Linux 7.1, 7.2, 7.3, 8.0:
     http://rhn.redhat.com/errata/RHSA-2003-291.html

     Stronghold 4 cross-platform:
     http://rhn.redhat.com/errata/RHSA-2003-290.html

     Red  Hat  distributes  OpenSSL  0.9.7  in  Red Hat Linux 9. Updated
     packages  which  contain  backported  patches  for these issues are
     available  along  with  our advisory at the URL below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Linux 9:
     http://rhn.redhat.com/errata/RHSA-2003-292.html

Riverstone Networks

     Riverstone Networks routers are not vulnerable.

SCO

     We are aware of the issue and are diligently working on a fix.

SGI

     SGI acknowledges receiving the vulnerabilities reported by CERT and
     NISCC.  CAN-2003-0543  [VU#255484],  CAN-2003-0544  [VU#380864] and
     CAN-2003-0545  [VU#935264]  have  been  addressed  by  SGI Security
     Advisory 20030904-01-P:

     ftp://patches.sgi.com/support/free/security/advisories/20030904-01-
     P.asc

     No further information is available at this time.

     For  the  protection  of  all our customers, SGI does not disclose,
     discuss  or  confirm vulnerabilities until a full investigation has
     occurred  and  any  necessary  patch(es)  or  release  streams  are
     available  for  all vulnerable and supported SGI operating systems.
     Until SGI has more definitive information to provide, customers are
     encouraged  to  assume  all security vulnerabilities as exploitable
     and  take  appropriate  steps  according  to  local  site  security
     policies   and   requirements.   As   further  information  becomes
     available,  additional advisories will be issued via the normal SGI
     security  information  distribution  methods  including the wiretap
     mailing list on http://www.sgi.com/support/security/

Stonesoft

     Stonesoft  has  published  a  security  advisory that addresses the
     issues in vulnerability notes VU#255484 and VU#104280. The advisory
     is at http://www.stonesoft.com/document/art/3040.html

Stunnel

     Stunnel  requires  the OpenSSL libraries for compilation (POSIX) or
     OpenSSL  DLLs for runtime operation (Windows). While Stunnel itself
     is  not  vulnerable,  it's  dependence  on  OpenSSL means that your
     installation likely is vulnerable.

     If  you  compile  from source, you need to install a non-vulnerable
     version of OpenSSL and recompile Stunnel.

     If  you  use the compiled Windows DLLs from stunnel.org, you should
     download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs
     are available at
     http://www.stunnel.org/download/stunnel/win32/openssl-0.9.7c/

     No  new  version  of  Stunnel  source  or  executable  will be made
     available,  because  the  problems  are  inside  OpenSSL -- Stunnel
     itself does not have the vulnerability.

SuSE

     All  SuSE  products  are affected. Update packages are being tested
     and will be published on Wednesday, October 1st.

VanDyke

     None   the   VanDyke   Software   products  are  subject  to  these
     vulnerabilities  due  to  the  fact that OpenSSL is not used in any
     VanDyke products.


Appendix B. References

     * CERT/CC Vulnerability Note VU#935264 -
       <http://www.kb.cert.org/vuls/id/935264>
     * CERT/CC Vulnerability Note VU#255484 -
       <http://www.kb.cert.org/vuls/id/255484>
     * CERT/CC Vulnerability Note VU#380864 -
       <http://www.kb.cert.org/vuls/id/380864>
     * CERT/CC Vulnerability Note VU#686224 -
       <http://www.kb.cert.org/vuls/id/686224>
     * CERT/CC Vulnerability Note VU#732952 -
       <http://www.kb.cert.org/vuls/id/732952>
     * CERT/CC Vulnerability Note VU#104280 -
       <http://www.kb.cert.org/vuls/id/104280>
     * OpenSSL Security Advisory [30 September 2003] -
       <http://www.openssl.org/news/secadv_20030930.txt>
     * NISCC Vulnerability Advisory 006489/OpenSSL -
       <http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm>
     * NISCC Vulnerability Advisory 006489/TLS -
       <http://www.uniras.gov.uk/vuls/2003/006489/tls.htm>
     * ITU ASN.1 documentation -
       <http://www.itu.int/ITU-T/studygroups/com10/languages/>

     _________________________________________________________________

   NISCC  discovered  and researched these vulnerabilities; this document
   is  based  on their work. We would like to thank Stephen Henson of the
   OpenSSL  project  and  the  Oulu  University  Secure Programming Group
   (OUSPG) for their previous work in this area.
     _________________________________________________________________

   Feedback can be directed to the author, Art Manion.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-26.html
   ______________________________________________________________________


CERT/CC Contact Information

   Email: cert@xxxxxxxx
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

     http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site

     http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@xxxxxxxxx Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
   ______________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   October 1, 2003: Initial release


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBP3thtTpmH2w9K/0VAQGzWAP9EpSwNUVNzSsGJjCLIX4jAKdGizhNEA/f
ZED6pvYreSwcry5SLvBMsn9vfftOdcIM1T9iPmWNm5KxQ1EsnlkojkMHdfPON56o
WpwwnLo89TxhNWgd7ThYbqXbIIPzfi0g6FM3lW4OVKEX/itscX83WPoUHp9OYBb9
pFFrq38EPjE=
=NRed
-----END PGP SIGNATURE-----