openSSL prior to 0.9.6k and including 0.9.7

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

openSSL prior to 0.9.6k and including 0.9.7

Unread postby squeen » Tue Sep 30, 2003 12:59 pm

That would include the latest freeware (Aug 2003) and the on shipping on3 the Aug. 2003 Applications CD.
OpenSSL contains multiple vulnerabilities related to ASN.1 parsing that can result in a denial of service on affected systems; it is unknown whether vulnerabilities allow the execution of arbitrary code on the system. Multiple vendors have released advisories and updated packages.


Description
-------------------------------------------------------------------------------------
OpenSSL contains multiple vulnerabilities in its method of ASN.1 parsing of client certificates. Each of the parsing vulnerabilities can result in a denial of service (DoS) for an affected system. Additionally, a protocol error has been discovered that causes OpenSSL to parse a client certificate when the certificate has not been requested.

The first vulnerability causes a DoS when the parser rejects certain ASN.1 encodings as invalid. These encodings can cause a stack corruption that may be exploitable to execute arbitrary code on the affected system.

The second vulnerability causes a DoS when certain ASN.1 tag values are specified. Such values can result in an out-of-bounds read under certain circumstances.

The third parsing
vulnerability causes a DoS when a malformed public key exists in a certificate. This condition can only occur if the verify code is set to ignore public key decoding errors. This configuration is normally only in effect during debugging and should not affect a production environment.

The fourth vulnerability is a protocol handling error. This can cause servers to parse client certificates when the particular certificates have not been specifically requested. As a result, all implementations of the affected versions of OpenSSL are vulnerable, as they accept malformed client certificates.

Updated packages are available.

OpenSSL has released a security advisory at the following link: http://www.openssl.org/news/secadv_20030930.txt

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Re: openSSL prior to 0.9.6k and including 0.9.7

Unread postby nekonoko » Thu Oct 02, 2003 7:06 pm

I think you may have to recompile OpenSSH against this newer version as well - especially if you're upgrading from 0.9.6 to 0.9.7. I went ahead and did so just to be safe:

Code: Select all

[Komugi:~] neko 1% ssh -V
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Unread postby squeen » Fri Oct 03, 2003 8:52 am

any chance on a tardist of the fixes?

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Fri Oct 03, 2003 11:43 am

Well sure I could put something together I suppose, though for security related stuff like this I'm not sure how many would be interested in homebrew tardists :)
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
dexter1
Moderator
Moderator
Posts: 2735
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Unread postby dexter1 » Sun Oct 26, 2003 1:08 am

Argh, they've updated openssh to 3.7.1p2 as Neko announced, but no update to openssl 0.9.6k.

Naughty SGI!


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest