Multiple Vulnerabilities in OpenSSL

← Back to Stories (view on slashdot.org)

Multiple Vulnerabilities in OpenSSL

Posted by CowboyNeal on Thursday March 18, 2004 @03:55PM from the stay-safe-stay-current dept.

gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."

21 of 274 comments (clear)

Min score:

Reason:

Sort:

before the trolls start... by contrasutra · 2004-03-18 16:04 · Score: 4, Insightful

Please don't comment "so I guess Windows isn't so insecure, is it...". We always seem to get a few of these. OpenSSL/OpenBSD has a VERY good security track record. Is a vulnerability a problem? Yes, but when MS has OpenBSD's track record, you can compare.

Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.

Oh well, sometimes you just have to combat the trolls.
Re:Non-Exploitable Security DOS Exploit by BlueCodeWarrior · 2004-03-18 16:04 · Score: 5, Insightful

For those of us not on the FreeBSD mailing list, it is.
Re:Non-Exploitable Security DOS Exploit by stratjakt · 2004-03-18 16:11 · Score: 5, Insightful

It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.

cvs, make and build sure.. But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.

--
I don't need no instructions to know how to rock!!!!
Re:Let's be like M$... by thedillybar · 2004-03-18 16:12 · Score: 4, Insightful

They didn't tell anyone until a patch was available. Note that the vulnerability was announced Wednesday, and it included a link for the patch (openssl-0.9.7d) when it was released.
It's fairly reasonable to assume that the developers knew of the vulnerability some time before the new version became available.
I think it's good practice to do this if you can develop the new version fast enough. Announcing it early is only inviting someone to exploit it. I doubt anyone will fix the vulnerability themselves and put it into production before the official release comes out.
Re:Non-Exploitable Security DOS Exploit by KidSock · 2004-03-18 16:14 · Score: 4, Insightful

...is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago.

Yes. Most of us are not on the FreeBSD mailing list. Instead we wait for the more mainstream outlets like ./ to report the problem. Also it's good to wait about 36 hours or so for the fix to go through the motions as the sudden intrest rattles free other problems.
Old news by macdaddy · 2004-03-18 16:22 · Score: 2, Insightful

I mean this is over a day old now. Why it took CERT so long to send the advisory I don't know.
Re:Why Is This Happening? by nathanhart · 2004-03-18 16:24 · Score: 3, Insightful

Probally has something to do with many people being able to do code audits freely and of course submit their fix for it ;)

--
GeekLeak.com - Silly name, serious geeks
Re:Non-Exploitable Security DOS Exploit by Anonymous Coward · 2004-03-18 16:27 · Score: 2, Insightful

Wow, aren't we pretentious and elite today? I could just as easily say that the average Linux user just waits for cron-apt or something similar to pull in the fixed packages when they are made available by their distribution, which is a far more realistic claim, yet equally as handwaving and vacuous as the one you made.
Get a life.
Re:Patch updates are NOT news by Mr.+Ophidian+Jones · 2004-03-18 16:42 · Score: 2, Insightful

Set up a cron job to do "emerge sync && emerge -uD world" or the equivalent every 24 hours. No attention required.

Until someone roots the Gentoo servers....
Re:Non-Exploitable Security DOS Exploit by Sivar · 2004-03-18 17:17 · Score: 4, Insightful

You have a good point, as using Windows Update is easier (or at least as easy) as any GNU/Linux update method, and can be made automatic very easily (like some GNU/Linux update methods).
One noteworthy difference, however, is that none of the BSD or GNU/Linux update methods tell the vendor the software (and their versions) that you run. To their credit, at least, none of them (including Microsoft) collect any actual personally identifiable information.

--
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
Yawn by ChiralSoftware · 2004-03-18 18:03 · Score: 4, Insightful

I'm bored of these OpenSSL advisories. On and on they go. An unchecked null and an out-of-bounds read. Someday, people will realize that unsafe data (anything that comes in over the net) really can't be safely manipulated in a language like C. If OpenSSL had been implemented in Java, there types of errors couldn't exist, or if they did exist, they would throw exceptions which could be caught and handled in some reasonable way.
Rule #1: Unsafe data should be handled in sandboxed languages.
Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.
I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.
------------
Create a WAP server
1. Re:Yawn by kobaz · 2004-03-18 18:53 · Score: 2, Insightful
  
  Someday, people will realize that unsafe data (anything that comes in over the net) really can't be safely manipulated in a language like C.
  
  People like you who don't understand that any software written in any language can be exploited should be shot. Your post is just painful to read.
  
  Rule #1: Unsafe data should be handled in sandboxed languages.
  
  Rule #1 is actually: VALIDATE ALL USER INPUT
  
  This holds true for any language, c, java, php, brainfuck, or anything else. You can just as easily exploit a php script to insert sql statements and destroy a database as you could write code to crash a server using openssl assumeing the target apps do poor validation and you (the attacker) know what you're doing.
  
  Many things that communicate over the are safely handled in c, java, php, etc etc because they are written to validate the input given to them and never do operations on data that hasn't been validated. You can write a secure implementation of openssl in c or java, it doesn't matter as long as the underlieing methods include validating all of your input.
  
  Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.
  
  This is another bullshit rule, if you have an app that properly validates all of its data then you can run the process with any level of permissions and not worry. The problem is, most apps aren't written with the idea to validate everything (the number one reason is because it adds overhead). Apps like openssl are written by more than one developer so its even harder to make sure everything is validated properly because of differing programming styles and methods, etc etc.
  
  I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.
  
  You *are* trolling.
  
  --
  
  The goal of computer science is to build something that will last at least until we've finished building it.
2. Re:Yawn by jmv · 2004-03-18 20:49 · Score: 2, Insightful
  
  Rule #1: May I remind you that said unsafe data is also manipulated by the kernel and glibc. Are you suggesting those get converted in Java too? Oh, and with a badly written Java app, it's also possible to do all kinds of things (just not buffer overflows).
  
  Rule #2: Ever heard of "bind to port and then change uid"?
  
  I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.
  
  Thanks for enlightening us all.
  
  --
  Opus: the Swiss army knife of audio codec
3. Re:Yawn by thogard · 2004-03-18 21:07 · Score: 3, Insightful
  
  Its a one line patch to get linux (2.2 and maybe 2.4 and maybe 2.6) to only let you open ports that equal a group your in. Its a simple fix but no one wants to do it. Even the standard /etc/groups aren't set up for this. Whatever listens to SMPT should be in group 25 and apache should be in groups 80 and 443. Then you don't need root to bind to the port and no other user can bind to the port either.
4. Re:Yawn by Srin+Tuar · 2004-03-19 02:03 · Score: 2, Insightful
  
  The problem with VM's is that they are pigs.
  
  Openssl is coded in highly optimized C, with many components in assembly, and its still considered a high-overhead resource hog and is often the target of hardware acceleration.
  
  If you seriously think "Java" is even in the running for that workload- then you are seriously deluded. VM's have this peculiar BIG problem: they are slow and resource-intensive. They dont play well with other processes, they cannot swap out to share ram, and they encourage memory bloat.
  
  If anyone seriously wanted to use a programming language as a tool that lets you hide memory allocation and validate input- then they could choose C++. Java, et al, is just not a serious option.
5. Re:Yawn by Electrum · 2004-03-19 06:34 · Score: 2, Insightful
  
  We've been hearing that for years. The best C security coders in the world are the OpenBSD team and guess what, they make mistakes. They fail to validate input sometimes. They have had exploitable bugs in their code.
  
  Funny, then why have the qmail and djbdns security guarantees never been claimed? Perhaps because it really is possible to write secure code in C?
advice on cvsup by puzzled · 2004-03-18 18:33 · Score: 3, Insightful

There is a minimal cvsup config for FreeBSD 4.9 - cvsup -g -L 2 and you're off and running.

*default host=cvsup6.FreeBSD.org
*default base=/usr
*default prefix=/usr
# The following line is for 4-stable. If you want 3-stable or 2.2-stable,
# change "RELENG_4" to "RELENG_3" or "RELENG_2_2" respectively.
*default release=cvs tag=RELENG_4
*default delete use-rel-suffix
# If your network link is a T1 or faster, comment out the following line.
*default compress
src-all
#ports-all tag=.

make buildworld & make installworld install *world*, which does not include anything you built out of /usr/ports - portupgrade is what handles moving that stuff forward for you.

FreeBSD *is* intimidating at first, but if you take the thirty days of pain at the end of that time you'll be looking at your Linux boxes and wondering why you ever put up with the chaos ...

--
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Re:Non-Exploitable Security DOS Exploit by gad_zuki! · 2004-03-18 20:47 · Score: 4, Insightful

>Honestly people, is this really /. front page news?

Yes, lets just wait till some kiddie write a worm that crashes thousands servers all over the world and then post about it.

I like that slashdot posts security problems. Why?

1. For the lazy admin. Theres lot of them.

2. because its important to keep reinforcing the idea that computers suck (I dont care what OS you like) and need constant care.
Re:Open source isn't a perfect model for secure co by JShadow · 2004-03-19 03:08 · Score: 1, Insightful

The argument isn't that Open Source is inherently more secure when written, but that overall it is more secure.

What's the difference you ask?

Closed source software M is found to have a bug, and that hole is open for 6 months; Open Source software S is found to have a bug, but the hole is open for 2 weeks MAXIMUM, most of the time it's fixed and patches available within 1 week.

Thus, Open Source is more secure because holes, which are, to a certain extent, inevitable, remain open for a very short amount of time, and on the whole not long enough to exploit.
C language is (also) to blame. by master_p · 2004-03-19 03:17 · Score: 3, Insightful

A null-pointer assignment

an out-of-bounds read

Aside from the programmer's errors, if C was safer, both bugs would have already been caught a long time ago. C is clearly to blame here.
Re:Non-Exploitable Security DOS Exploit by tommck · 2004-03-19 07:25 · Score: 2, Insightful

Oh... that's MUCH easier than Windows Update. Can't wait for my mom to try doing this...
</asbestos suit>

--
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.