OpenSSL Security Update

Pseud0 writes "Just announced on the OpenSSL announce mailing list. The affected versions are "[...] OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable." Get your updates here."

Mirrors list mirrored

[Olinator]

Here. (I tried to submit this story with this link, 'cause the site was going down before it appeared on /.; guess I wasn't fast enough.)

Ole

Answer

[petard]

engine versions incorporate support for hardware cryptographic devices.

Re:Logic behind this

[phaxkolumbo]

Well, most of us shouldn't have to download the patches. Instead, we wait for our favourite distribution to come up with rebuilt packages and then install. At least in redhat, debian and mandrake. Probably others.

But... i agree with you, sort of. I understand that something of this scale is newsworthy, but still most of us don't need the source and/or patches directly. That's what rh's errata (and similar) are for. So, the actual announcement could have been slightly more subtle, or something...

But people shouldn't "want" security updates, people _need_ security updates, so i guess that's the reasoning behind this news story.

OK. I admit I'm biting

Doesn't OpenSSH rely on OpenSSL to function?

No.

Does this mean the openbsd "no remote root exploits in the default distribution" thing's been violated again?

No.

Re:How about some common courtesy?

[tbmaddux]

Found details on vulnerabilities (don't know if they're the same ones as the ones being patched) in OpenSSL at bugtraq:

"There are several potentially exploitable vulnerabilities in the OpenSSL toolkit. A security review of OpenSSL is being done by A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) under the DARPA program CHATS. Through this review, the following vulnerabilities were discovered:

1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulnerability is exploitable.

2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.

3. Various buffers for ASCII representations of integers were too small on 64 bit platforms.

4. The ASN1 parser can be confused by supplying it with certain invalid encodings.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0655 to issue 3, and CAN-2002-0659 to issue 4.

Here's a link.

Bulletin

OpenSSL Security Advisory [30 July 2002]

This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory.

Advisory 1

A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS.

Vulnerabilities

All four of these are potentially remotely exploitable.

1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too small on 64 bit platforms.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them.

Who is affected?

Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected.

Recommendations

Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or
TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/).

Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release
versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied.

Known Exploits

There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is
possible, but have not released the exploit code.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CA N- 2002-0655
http://cve.mitre.org/cgi-bin/cvename.cg i?name=CAN- 2002-0656
http://cve.mitre.org/cgi-bin/cvename.cg i?name=CAN- 2002-0657

Acknowledgements

The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie.

Advisory 2 Vulnerabilities

The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue.

Who is affected?

Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines.

Recommendations

Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL.
Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL.

Exploits

There are no known exploits for this vulnerability.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CA N- 2002-0659

Acknowledgements

This vulnerability was discovered by Adi Stav and James Yonan independently. The patch is partly
based on a version by Adi Stav.

The patch and advisory were prepared by Dr. Stephen Henson.

Combined patches for OpenSSL 0.9.6d:
http://www.openssl.org/news/patch_2002073 0_0_9_6d. txt

Combined patches for OpenSSL 0.9.7 beta 2:http://www.openssl.org/news/patch_20020730_0_9_7 .txt

URL for this Security Advisory: http://www.openssl.org/news/secadv_20020730.txt

Happy Xmas

[fingal]

OpenSSL Security Advisory [30 July 2002]

This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory.

Advisory 1

A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS.

Vulnerabilities

All four of these are potentially remotely exploitable.

1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too small on 64 bit platforms.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4.

In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them.

Who is affected?

Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable.

SSLeay is probably also affected.

Recommendations

Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS.

A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/).

Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos.

Client should be disabled altogether until the patches are applied.

Known Exploits

There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0655

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0656

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0657

Acknowledgements

The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537.

The patch and advisory were prepared by Ben Laurie.

Advisory 2

Vulnerabilities

The ASN1 parser can be confused by supplying it with certain invalid encodings.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue.

Who is affected?

Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines.

Recommendations

Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL.

Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL.

Exploits

There are no known exploits for this vulnerability.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0659

Acknowledgements

This vulnerability was discovered by Adi Stav and James Yonan independently. The patch is partly based on a version by Adi Stav.

The patch and advisory were prepared by Dr. Stephen Henson.

Security Advisory from Bugtraq

The original security advisory (with attached patch for OpenSSL 0.9.6d) is here. A follow-up with patches for older versions is here.

Advisory + Patch

[ChiefArcher]

http://online.securityfocus.com/archive/1/285022/2 002-07-27/2002-08-02/0

Advisory Mirror

[ActMatrix]

Here's a copy of the full advisory since the OpenSSL site is /.'d.

Re:Logic behind this

[spudnic]

This may sound like a plug for the RHN Enterprise service, because it is. I got in this morning at around 7:50, checked the status of all of my Red Hat servers through the web page and saw that there was an urgent update available for OpenSSL. I clicked 3 times and all of them were scheduled to get the update the next time they checked in.

It's now 9:44 and all of my servers are patched. It took me 5 seconds to schedule it, and just drank coffee and read /. as it happened.

It's well worth it. We're all sold on it, and the Novell guys are envious.

Re:Security is a Fallacy

[Flower]

No, security is a process.

Mirrors

[Wouter+Van+Hemel]

Damn /. morons, was it really necessary to link to the _main_ site instead of providing some mirrors?

Most mirrors are not up to date yet, except:

ftp://opensores.thebunker.net/pub/mirrors/openss l/ source/
ftp://ftp.psy.uq.edu.au/pub/Crypto/OpenSS L/
ftp://ftp.infoscience.co.jp/pub/Crypto/SSL/ope nssl /source/

... but by the time you read this, maybe the others have it too (thanks to google... yet again):

* ftp://ftp.openssl.org/source/ [CH]
* ftp://sunsite.cnlab-switch.ch/mirror/openssl/ [CH]
* ftp://ftp.funet.fi/pub/crypt/cryptography/libs/ope nssl/ [FI]
* ftp://ftp.pca.dfn.de/pub/tools/net/openssl/ [DE]
* ftp://ftp.ecrc.net/pub/security/openssl/ [DE]
* ftp://ftp.uni-trier.de/pub/unix/security/openssl/ [DE]
* ftp://ftp.webmonster.de/pub/openssl/ [DE]
* ftp://opensores.thebunker.net/pub/mirrors/openssl/ [UK]
* ftp://ftp.net.lut.ac.uk/openssl/ [UK]
* ftp://ftp.mirror.ac.uk/sites/ftp.openssl.org/ [UK]
* ftp://sunsite.uio.no/pub/security/openssl/ [NO]
* ftp://ftp.sunet.se/pub/security/tools/net/openssl/ [SE]
* ftp://ftp.chl.chalmers.se/pub/unix/security/openss l/ [SE]
* ftp://ftp.psy.uq.edu.au/pub/Crypto/ [AU]
* ftp://mirror.aarnet.edu.au/pub/openssl/ [AU]
* ftp://gd.tuwien.ac.at/infosys/security/openssl/ [AT]
* ftp://glock.missouri.edu/pub/openssl/ [US]
* ftp://ftp.av8.com/pub/mirrors/openssl/ [US]
* ftp://ftp.styx.net/mirrors/crypto/openssl/ [US]
* ftp://gw.inetlab.com/mirrors/openssl/ [RU]
* ftp://ftp.mos.net/pub/security/openssl/ [RU]
* ftp://ftp.ebizlab.hit.bme.hu/pub/openssl/ [HU]
* ftp://ftp.kfki.hu/pub/packages/security/openssl/ [HU]
* ftp://guest.kuria.katowice.pl/pub/openssl/ [PL]
* ftp://ftp.win.ne.jp/pub/network/security/openssl/ [JP]
* ftp://ftp.infoscience.co.jp/pub/Crypto/SSL/openssl / [JP]
* ftp://ftp.happysize.co.jp/mirror/openssl/ [JP]
* ftp://ftp.ncu.edu.tw/Unix/Crypto/OpenSSL/ [TW]
* ftp://ftp.mit.com.tw/pub/SSL/openssl/ [TW]
* ftp://ftp.elab.co.za/support/openssl/source/ [ZA]
* ftp://ftp.fisek.com.tr/pub/openssl/ [TR]
* ftp://ftp.fi.muni.cz/pub/openssl/ [CZ]
* ftp://ftp.sunsite.utk.edu/pub/openssl/ [US]
* ftp://ftp.gm.is/pub/openssl/ [IS]
* ftp://ftp.directnet.ru/pub/openssl/ [RU]
* ftp://ftp.linux.hr/pub/openssl/ [HR]
* ftp://ftp.1stnet.co.uk/pub/mirrors/openssl/ [UK]
* ftp://mirror.aarnet.edu.au/pub/openssl/ [AU]
* ftp://storm.alert.sk/mirrors/openssl/ [SK]
* ftp://ftp.openssl.uli.it/ [IT]
* ftp://ftp.grmbl.com/pub/openssl/ [BE]
* ftp://ftp.gin.cz/pub/MIRRORS/ftp.openssl.org/ [CZ]
* ftp://ftp.calyx.nl/pub/openssl/ [NL]
* ftp://ftp.duth.gr/pub/OpenSSL/ [GR]
* ftp://ftp.linux.gr/pub/crypto/openssl/ [GR]
* ftp://ftp.si.uniovi.es/mirror/OpenSSL/ [ES]

Cheers.

Re:Debian users:

[CentrX]

For stable releases, Debian backports the patches to the version that's in stable, so as not to introduce problems that may result from introducing a relatively heavily modified new release. That's why it's called "stable". From the Debian Security Advisory: "These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.0, openssl095_0.9.5a-6.woody.0 and openssl_0.9.6c-2.woody.0." So, the link provided is a package that isn't vulnerable.

Re: another victory for Open Source!

[Black+Parrot]

> Thanks to "many eyes," no sooner is a flaw detected than it is patched up!

<pedantic>Actually, "many eyes" didn't have much to do with either facet, this time. The detection was done by the (presumably pay-to-view) eyes at A.L. Digital Ltd and The Bunker, and the fix isn't an "eyes" issue at all, but rather a get-on-the-ball-and-do-it issue.</pedantic>

But you're entirely right about the quick turn-around. The good folk at OpenSSH completely skipped the Six Step Security Patch Development Cycle so commonly used in the commercial software world thes days:

1. deny it, as long as possible
2. promise an investigation, as long as possible
3. promise "real soon now", as long as possible
4. make excuses for the delay, as long as possible
5. release a broken fix, investing as little effort as possible
6. GOTO 1

Re:Debian users:

[BJH]

Debian doesn't generally upgrade the software in question to a later external version unless it's absolutely necessary - instead, they patch the version that they know is stable and move their internal version up a notch.

Details from the Debian Security Advisory...

[illsorted]

From the bugtraq announcement:

Package : openssl
Problem type : multiple remote exploits
Debian-specific: no
CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659

The OpenSSL development team has announced that a security audit by A.L.
Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed
remotely exploitable buffer overflow conditions in the OpenSSL code.
Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan.

CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client implementation
(by sending a large session id to the client). The SSL2 issue was also
noticed by Neohapsis, who have privately demonstrated exploit code for
this issue. CAN-2002-0659 references the ASN1 parser DoS issue.

These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.0, openssl095_0.9.5a-6.woody.0 and
openssl_0.9.6c-2.woody.0.

These vulnerabilities are also present in Debian 2.2 (potato), but no
fix is available at this moment.

We recommend you upgrade your OpenSSL as soon as possible. Note that you
should restart any daemons running SSL. (E.g., ssh or ssl-enabled
apache.)

Patches for old versions

[asr_br]

Patches also available in http://www.ademar.org/misc/openssl-patches for the ones who haven't access to bugtraq or openssl-{devel,users}.

Date: Tue, 30 Jul 2002 14:42:12 -0300
From: "Ademar de Souza Reis Jr." <ademar@conectiva.com.br>
Subject: Re: OpenSSL patches for other versions
To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Cc: Ben Laurie <ben@algroup.co.uk>,
OpenSSL Announce <openssl-announce@openssl.org>,
OpenSSL Dev <openssl-dev@openssl.org>, openssl-users@openssl.org
X-Url: http://www.ademar.org/

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.0K --]

On Tue, Jul 30, 2002 at 11:15:00AM +0100, Ben Laurie wrote:
> Enclosed are patches for today's OpenSSL security alert which apply to
> other versions. The patch for 0.9.7 is supplied by Ben Laurie
> <ben@algroup.co.uk> and the remainder by Vincent Danen (email not
> supplied).
>
> Patches are for 0.9.5a, 0.9.6 (use 0.9.6b patch), 0.9.6b, 0.9.6c, 0.9.7-dev.
>
> These patches are known to apply correctly but have not been
> thoroughly tested.

Hello.

While checking the patches you sent I noticed that in the ones for
openssh < 0.9.7-dev, the ASN.1 fix is not present (several checks in
crypto/asn1/asn1_lib.c).

So I backported the fixes based on 0.9.7-dev and in a patch for 0.9.6d sent
by Ben Laurie to openssl-team@openssl.org on July27 (subject: Final
version?).

Patches for 0.9.5a, 0.9.6a and 0.9.6b including fix for ASN.1 vulns attached.
They're not well tested yet - after sucessful compilation.

Cheers.
- Ademar

Re:How about some common courtesy?

[krogoth]

If you care about security, you should be reading Bugtraq. As soon as I saw the title I checked my email and read the real advisory - now that I'm done upgrading, I can come back and see what Slashdot says about it.