'Severe Bug' To Be Patched In OpenSSL

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

thanks Hacked Team!

[SethJohnson]

Your audit of OpenSSL has already contributed back to the Open Source community, whether voluntary or not.

Security!

[ArcadeMan]

Always keep your software up-to-date for security reasons!

OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. [...] The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

Unless of course the up-to-date versions are less secure than the old versions...

Re:Security!

Whew, suck it linux and your super-duper fast patches! Microsoft only patches on Tuesdays so my boxen are safe from this exploit!

Re:Security!

This is not the first time that has happened either. Making me think the same thing.

Re:Security!

No! Update when you need new functionality, when a security update is released for your version, or when your version is no longer supported.

No willy-nilly updating for fun madness.

Re:Security!

The major differences between the 1.0.0, 1.0.1 and 1.0.2 branches is the addition of features (as can be seen here: https://en.wikipedia.org/wiki/...). This means that the vulnerability is likely to be in one of those new features, rather than in the older code. It also illustrates the old adage that every feature is just an unexploited code path.

Re:Security!

That's what I'm questioning.

So if it exists post 1.0, 0.9.8 versions, it was introduced after what I call, the 'OpenSSL' spotlight event. That doesn't make for confidence building. I thought this shit was getting thoroughly audited after 0.9.8?

Re:Security!

OpenSSL 1.0.2d is not the up to date version. People should be looking at LibreSSL 2.1.7 .

The project management and lack of testing will prevent OpenSSL from ever being more than a collection of exploits. Heartbleed alone should have been enough to show this, specified and implemented by one person, not tested, long interaction phases before any verification took place and worst of all enabled by default on every OpenSSL installation. The implementer(s) of that library put no thought into security and apparently receiving large amounts of money to fix things didn't change this.

Re:Security!

[Trongy]

The 1.0.0 and 0.9.8 version of openssl do not have support for TLS 1.1 or 1.2.
If you want to stick to using SSLV3 and TLS 1.0, good luck to you. Have you heard of the POODLE attack?

Re:Security!

[Demonoid-Penguin]

This is not the first time that has happened either. Making me think the same thing.

Good to hear your satire inoculation is working.

Re:Security!

[Dan541]

Always keep your software up-to-date for security reasons!

I hear the NSA have taken over development of OpenSSL. Oh look.... a new patch...

You'd think they'd patch it first

Shirley by now then.

Re:You'd think they'd patch it first

And don't call me Shirley...

boring boring boring booooooooooring

So tired of these pre-announcements. What's next, pre-pre-announcements? Just publish already, doofuses.

Re:boring boring boring booooooooooring

It gives some extra time to make up a catchy name for the vulnerability and print some t-shirts.

Re:boring boring boring booooooooooring

[wardrich86]

"...pre-pre-announcements?" Valve to announce the release of Half-Life 3 eventually!

Re:boring boring boring booooooooooring

[beh]

Sorry, the pre-announcement does have a point - if the security hole is major, then you want admins to be ready to patch their systems pretty much immediately.

If you just released the "fixed" version together with a description of the vulnerability - it might give extra time to potential attackers to figure out how to exploit the problem before an admin becomes aware that there even IS a new version.

In this case, the certificate verification might not have sounded like a big thing to you - but think where client certificates are being used - not that many places, but usually "important" ones, and often ones that have real economic consequences for the parties involved if they were to be broken (like many VPNs between businesses; or protected services that require client certificates for authentication. If it were "easy" to forge one, the protection would be harder to maintain (if it were even still possible to maintain).

Use the diffs

[Dwedit]

I guess you could use the diffs to find the hole.

Re:Use the diffs

That would depend on the Diff's being released, as it stands, the Diff's, Patched Binaries and an explanation of what the exploit was will likely be released all at the same time, so people can patch their affected systems before the exploit is seen in the wild.

Re:Use the diffs

Guess he means that somebody could check what is same in both 1.0.2 and 1.0.1 but different in 1.0.0 and 0.9.8. Would hope this is tricky or risky to announce.

Re:Use the diffs

Why? OpenSSL is opensource. Perusing Github gives me these potential vulnerabilities after the 1.0.2o release (12-Jun-2015)

Remove one extraneous parenthesis
Multiple fixes to mttest.c
Fix PSK handling (best guess this is it as quick review shows it fixes a null pointer exception)

Also let this be a lesson to releasing "WARNING BUG TO BE PATCHED". I'm sure this exploit is already in the wild, I am giving the poor sysadmins out there a chance to identify and patch bugs from 0-day exploits.

-dk

Re:Use the diffs

It would also be interesting to find the commit which introduced the vulnerability.

Re:Use the diffs

Well lets assume it's the PSK allowing the buffer overflow

We can see the fix here, so lets look at the code they are replacing.. specifically:

- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
- if (s->ctx->psk_identity_hint == NULL) {
+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
+ if (s->session->psk_identity_hint == NULL) {

Looks like they went from strdup() to strndup(). Lets look when strdup() was introduced

  git grep "BUF_strdup(" $(git rev-list --all) | grep s3_clnt |awk -F':' '{print $1}' | uniq

returns ddac197404f585b8da58df794fc3beb9d08e8cd2

add initial support for RFC 4279 PSK SSL ciphersuites

PR: 1191
Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
Reviewed by: Nils Larsch

        OpenSSL_0_9_8k

Nils Larsch authored on Mar 10, 2006

Since this was added in 2006 and 0.9.8 is not vulnerable it is possible this is not the urgent vulnerability. But similar analysis can be done against the 1.0.2 branch and then looking back at the history of commits as I showed here. Good luck.

-dk

amazon s2n

time to start giving this a second look...

Sick of this shit

It'll be another dangling pointer, buffer overrun/read, integer overflow, etc. Time to stop using stone axes and sharpened sticks. We have tools now that can end this nonsense. We need to use them.

Re:Sick of this shit

Lol you want everyone to have to link a fucking rust runtime or whatever? Everything in rust? Are you sure that there's no exploit in the implementation of all the extra code rust runs at runtime?

Pet languages are nice, but don't expect them to be used universally, ever.

Re:Sick of this shit

[Eravnrekaree]

PAE and x86-64 and probably other CPUs now have page table flags for protecting against buffer overrun by non-executable, readonly memory sections and such. An overrun will cause a segfault rather than an actual overrun. This significantly improve things. So what is the status of this in major Linux distros?

Re: Sick of this shit

Rust? The language that hit 1.0 only about two months ago, so very long after it was first promised? The language with only one quasi-usable implementation? The language whose one quasi-usable implementation is riddled with bugs (its GitHub isse tracker is full of them)? The language that hasn't been used for anything significant, other than its own bug-riddled quasi-usable implementation? The language that is more hype than substance? The language that the Ruby on Rails fanboys jumped ship to after Rails and Ruby started sinking fast? The language with convoluted ownership semantics that make C++'s easy to comprehend and use by comparison? No thanks!

Re:Sick of this shit

An interesting question, but a page table thing won't protect against all buffer overruns- it would still overwrite variables hanging around there that are within the page. Which seems to already happen- you can't just write past your page and not get segfaulted?

Re:Sick of this shit

[Eravnrekaree]

You are right. Data could also be leaked, which would be awful. Guard pages are another feature often used, when a buffer overflow occurs it would often hit the guard page which being unallocated space will segfault, but its not perfect. Its a lot easier to protect code than it is to protect data.

Re: Sick of this shit

Please go gentle on him. I mean, the dumb faggot is a poser at best. In a couple months, he'll get pissed off that his hello world rust program is still buggier than his momma's crab-infested cunt and move on to the next language du jour (swift? nim? who knows!). Maybe someday he'll give up for good and go back to sucking cocks or mopping floors or something more suitable for his 2-digit IQ.

firsT

going 7o continue,

Monoculture...

[Bugler412]

Remember when everyone thought Windows was the biggest monoculture? Not on the web server side of the business....

lol

If you find yourself in a hole, stop digging.

Anybody using OpenSSL over LibreSSL deserves what they get. And what they get is this shit. They literally cannot add a new feature without enabling security exploits.

Oh god damnit...

Not again...

Do what Amazon did...

[Karmashock]

Offer up a version of the the package that is small enough to be audited in detail so that there are very very very few bugs with it.

I think they said they had it down to 6k? So do that. Obviously that strips out a lot of features people like. So decide what is more important to you.

security or covering your car with stickers and truck nuts.

good security has to be simple. you get complicated and you get something that can't be fully understood well enough to debug.

Re:Do what Amazon did...

Amazon's s2n repo is cool, but it's only a lightweight TLS library. It does not have the crypto routines included and instead relies upon other libraries for that. It can use OpenSSL, LibreSSL, or some others... it would be nice if they just stripped OpenSSL down to a few crypto and hash sets as a light crypto package too.

Re:Do what Amazon did...

[Kiwikwi]

Offer up a version of the the package that is small enough to be audited in detail so that there are very very very few bugs with it.

I think they said they had it down to 6k?

Amazon's package depends on OpenSSL. What they've essentially done is to build an OpenSSL version that's 6k bigger than the existing monster.

Re:Do what Amazon did...

[StikyPad]

security or covering your car with stickers and truck nuts.

A "Sophie's Choice," if ever there was one.

Re:Do what Amazon did...

[Karmashock]

Only aspects of it and they can use other liberaries if they want.

The point remains that the code base can be simplified.

A big issue I see with a lot of these projects is that they get too complicated. Rather than adding new features they should simply compartmentalize the code so that portions of it can do these things but they exist at seperately audited components... and should only be used if actually needed.

I've no interest in getting involved in a tit for tat with you. We know there are problems maintaining the integrity of security code against hackers.

You know that. This is not disputable.

The world is changing and the standards upon which security is judged are changing with them. Business as usual is not acceptable. We're coming to adapt or die time.

I choose life and relevance. Anyone that wishes to choose obsolescence and death is welcome to do so. Those that remain will make all future decisions.

No more!

[Aethedor]

Every software developer, please stop using OpenSSL. It was crap then, it is crap now and it will be crap tomorrow. And LibreSSL is not the solution. You can't turn crap into something nice. You want a decent SSL library, try mbed TLS. Unlike OpenSSL, this library has good documentation (example programs included), has a logical and sane API (no ugly callback shit) and its code is clean and secure.

I switched from OpenSSL to mbed TLS (named PolarSSL back then) in my open source project some time ago. I should have done it more early! The migration was easy and only cost me a few days. So, stop punishing yourself and give mbed TLS a try. You won't regret it!!

Disclaimer:
No, I'm in no way connected to mbed TLS. Just a happy mbed TLS user who doesn't understand why people keep on torturing themselves and their users.

Re:No more!

GPLv2 (not LGPL) will be a big showstopper for some projects.

Re:No more!

How about this: mbed TLS is under either a pay-for commercial license or the GPL, none of which are suitable to everyone's need, as opposed to Open/LibreSSL BSD or BSD-like licenses.

Granted they have a disclaimer at the end about "FOSS License Exception" that makes it *seem* like you can at least use it with most FOSS. But for proprietary software, nothing beats BSD, Apache and the likes.

This being said, thanks, I'll take a look at it next time I need a TLS library for an open source project.

Re:No more!

[serviscope_minor]

You can't turn crap into something nice.

Yes you can.

OpenSSL has good implementations of the core algorithms surrounded by a mountain of crap. LibreSSL strips that out leaving a goo, solid system.

Re:No more!

This takes a while. Most servers will be waiting for distributions to be changing their dependencies, and many (if not most) of those will be waiting for LTS versions to flop over. RHEL switched to MariaDB. Most RHEL installs are on v5 and v6 and it will be a long long time before (if even) they will be running MariaDB. Plus there's that pesky systemd to stay away from.

Years for the mainstream.

In the meantime, I'm happy people are finding and fixing bugs.

Re:No more!

LibreSSL strips that out leaving a goo, solid system.

No, I think LibreSSL leaves out the goo.

Re:No more!

LibreSSL strips that out leaving a goo, solid system.

Incredible how human brain and subconscious will speak the truth even if the human attached to the brain is not aware of it.

Re:No more!

[operagost]

LibreSSL strips that out leaving a goo, solid system.

Mmm... free goo.

Re:No more!

[phantomfive]

Eventually. In the June 11th OpenSSL bug fix, LibreSSL was found to be vulnerable to 3 out 7 of the same vulnerabilities. Source. LibreSSL is better, but still has a lot of weaknesses.

Re:No more!

[WaffleMonster]

Every software developer, please stop using OpenSSL

It was crap then, it is crap now and it will be crap tomorrow. And LibreSSL is not the solution. You can't turn crap into something nice.

You need to provide a coherent reason if you want people to do what you ask. "Cuz it's crap" does not convey objectively useful information.

You want a decent SSL library, try mbed TLS.

Lost me at GPL. Lack of SRP and DTLS also deal breakers.

No, I'm in no way connected to mbed TLS. Just a happy mbed TLS user who doesn't understand why people keep on torturing themselves and their users.

I'm happy it works for you.

Re:No more!

[Eythian]

It can be GPLv3 too, so that's OK.

Re:No more!

[Kiwikwi]

Before complaining about mbed TLS's GPLv2 license, you should probably be aware that OpenSSL uses its own application-specific license, which is not OSI approved. The license contains an advertising clause similar to the original BSD license; that makes OpenSSL both GPL-incompatible and a general PITA to work with.

In fact, I'd wager that almost every time OpenSSL is redistributed, it's done in violation of the license. When was the last time you saw a product advertising that "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit"? That text has to appear whenever you advertise any OpenSSL-based crypto functionality.

The license is technically libre, but only by the skin of its teeth...

Re:No more!

[dotancohen]

GPLv2 (not LGPL) will be a big showstopper for some projects.

So those open source projects that ensure that code is contributed back to the community, will enjoy this code contribution and be secure. GPL cuts both ways, sure, and I'm actually glad that the secure option requires code to be contributed back.

Freetards Assemble!

I'm sure this time you guys got it right! OpenSSL for the meh!

Re:Freetards Assemble!

[rubycodez]

with a solid foundation of systemd under it, openssl can be robust, secure and unstoppable!

The Microsoft Register :)

Would that be the Microsoft Register: 2 mentions of Microsoft and 4 mentions of Windows and 2 negative mentions of Apple on the main page. The editor has never forgot Apple de-inviting him to a corporate freebie.

Hu?

[stackOVFL]

Why not just fix it using a carbon nanotube? They use them to fix everything else.

We, Gods of OpenSSL

[Nikademus]

We, Gods of OpenSSL are announcing that there will be a patch in 2 days. We will not tell you what it is as you could patch it yourself or use any of the forks that we dislike like LibreSSL. Surely we will not reveal what it is as bad people could use it (trust us, we tell you they cannot already). The only thing we will say is that it was introduced after 1.0.0,so we are sure you won't find out and that The Big Vendors who pay us will be able to deliver a patch when they are ready. And bad guys won't be able to annoy you because we know they are morons and won't find out...

Wanna know the vulnerability?

[barbariccow]

Want to know the vulnerability? Diff the latest from last version without - 1.0.0. Compare. :)

Re:Wanna know the vulnerability?

... because the one and only change between 1.0.0 and the next version was the bit of code that has the bug.

Re:Wanna know the vulnerability?

Obviously.

Re: Wanna know the vulnerability?

[Zero__Kelvin]

man git-bisect

Re: Wanna know the vulnerability?

If you'd read that yourself, you'd know that you have to tell it which revisions have the bug and which don't. Kinda hard if you know nothing about the bug beyond that it exists.

FIPS certification

[thegarbz]

The comment title says it all. Many developers don't torture themselves. Other people do the torturing by specifying OpenSSL effectively as a requirement. mbed TLS is not FIPS compliant based on a quick google search.

Re: FIPS certification

[Aethedor]

If mbed TLS isn't and OpenSSL is, than it says more about FIPS than about mbed TLS.

Re: FIPS certification

[thegarbz]

Regulations and certification rarely make sense.

better cancel your weekend plans

[SchroedingersCat]

... and clean the coffee machine

Mysterious?!! (much ado about nothing)

[Demonoid-Penguin]

When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled.
original advisory Hidden in plain sight. (sigh)

Isn't The Register a news satire site? [if not it needs reclassifying]

Re:Mysterious?!! (much ado about nothing)

This is a different bug.