ID

VAR-201501-0442

CVE

CVE-2014-8275

TITLE

OpenSSL Vulnerable to breaking fingerprint-based authentication blacklist protection mechanism

DESCRIPTION

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. OpenSSL is prone to a local security-bypass vulnerability. Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:062 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : openssl Date : March 27, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in openssl: Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment (CVE-2010-5298). The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack (CVE-2014-0076). The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug (CVE-2014-0160). The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment (CVE-2014-0195). The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition (CVE-2014-0198). OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability (CVE-2014-0224). The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value (CVE-2014-3470). The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the POODLE issue (CVE-2014-3566). The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix (CVE-2014-3569). OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c (CVE-2014-3571). The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message (CVE-2014-3572). The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the FREAK issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations (CVE-2015-0204). Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection (CVE-2015-0206). Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import (CVE-2015-0209). The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse (CVE-2015-0287). The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289). The updated packages have been upgraded to the 1.0.1m version where these security flaws has been fixed. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293 http://openssl.org/news/secadv_20150108.txt http://openssl.org/news/secadv_20150319.txt _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 324a85f7e1165ab02881e44dbddaf599 mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm 9c0bfb6ebd43cb6d81872abf71b4f85f mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm 58df54e72ca7270210c7d8dd23df402b mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm b5313ffb5baaa65aea05eb05486d309a mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm a9890ce4c33630cb9e00f3b2910dd784 mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm 521297a5fe26e2de0c1222d8d03382d1 mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS kz0ex6eI6hA6qSwklA2NoXY= =GYjX -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04604357 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04604357 Version: 1 HPSBGN03299 rev.1 - HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent running OpenSSL, Remote Disclosure of Information, Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-03-19 Last Updated: 2015-03-19 Potential Security Impact: Remote disclosure of information, unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent running OpenSSL including: The SSL vulnerability known as "FREAK", which could be exploited remotely to allow disclosure of information. Other vulnerabilities which could be exploited remotely resulting in unauthorized access. References: CVE-2014-3570 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 SSRT101987 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. CVE-2014-3572 and CVE-2015-0204 HP IceWall MCRP Version 2.1 and 3.0 HP IceWall SSO Dfw Version 8.0, 8.0 R1, 8.0 R2, 8.0 R3, and Version 10.0 HP IceWall SSO Certd Version 8.0R3 with DB plugin patch 2 and Version 10.0 HP IceWall Federation Agent Version 3.0 CVE-2014-3570 and CVE-2014-8275 HP IceWall MCRP v2.1, v3.0 HP IceWall SSO Dfw v8.0, v8.0 R1, v8.0 R2, v8.0 R3, and v10.0 HP IceWall SSO Agent v8.0 and v8.0 2007 Update Release 2 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2015-0204 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP recommends the following software updates and workaround instructions to resolve the vulnerabilities for HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent. IceWall SSO Dfw 10.0 and Certd 10.0, which are running on RHEL, could be using either the OS bundled OpenSSL library or the OpenSSL bundled with HP IceWall. If still using the OpenSSL bundled with HP IceWall, please switch to the OpenSSL library bundled with the OS, and then follow the instructions in step 3. Documents are available at the following location with instructions to switch to the OS bundled OpenSSL library: http://www.hp.com/jp/icewall_patchaccess 2. For IceWall SSO Dfw and Certd for SSO Dfw 8.0, 8.0 R1, 8.0 R2, 8.0 R3, and SSO Certd 8.0 R3 with DB plugin patch 2, which bundle OpenSSL, please download the updated OpenSSL at the following location: http://www.hp.com/jp/icewall_patchaccess 3. For HP IceWall products running on RHEL and are using the OS bundled OpenSSL, RHEL has provided patch or mitigation instructions at the following location: https://access.redhat.com/articles/1369543 Note: For RHEL6 (only) and CVE-2014-8275, please apply the RHEL6 patch for OpenSSL from the following location: https://access.redhat.com/security/cve/CVE-2014-8275 4. For IceWall products running on HP-UX which are using the OS bundled OpenSSL, please apply the HP-UX OpenSSL update from the following location: https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?produ ctNumber=OPENSSL11I WORKAROUND INSTRUCTIONS HP recommends the following information to protect against potential risk from CVE-2014-3572 and CVE-2015-0204 for the following HP IceWall products. HP IceWall SSO Dfw and MCRP - If possible, do not use the SHOST setting which allows IceWall SSO Dfw or MCRP to use SSL/TLS protocol to back-end web servers. - If possible, do not use EXPORT-grade ciphers on the back-end web servers. HP IceWall SSO Certd (version 10.0 and 8.0R3 applied DB plugin patch release 2) - If possible, do not use the LDAPSSL setting which allows IceWall SSO Certd to connect to the LDAP server using SSL/TLS protocol. - If possible, do not use EXPORT-grade ciphers on the LDAP server. IceWall Federation Agent - If possible, use "bindings:HTTP-POST" instead of "bindings:HTTP-Artifact" setting in the service provider meta file. The "bindings:HTTP-POST" setting would disable IWFA to use SSL for communicating with IdP server. Note: The HP IceWall product is only available in Japan. HISTORY Version:1 (rev.1) - 19 March 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. 5 client) - i386, x86_64 3. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded. TLS/SSL clients and servers using OpenSSL were not affected by this flaw. (CVE-2015-0289) Red Hat would like to thank the OpenSSL project for reporting CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293. Upstream acknowledges Emilia Käsper of the OpenSSL development team as the original reporter of CVE-2015-0287, Brian Carpenter as the original reporter of CVE-2015-0288, Michal Zalewski of Google as the original reporter of CVE-2015-0289, Robert Dugal and David Ramos as the original reporters of CVE-2015-0292, and Sean Burford of Google and Emilia Käsper of the OpenSSL development team as the original reporters of CVE-2015-0293. OpenSSL Security Advisory [08 Jan 2015] ======================================= DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) =========================================================== Severity: Moderate A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k. OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) ======================================================= Severity: Moderate A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion. This issue affects OpenSSL versions: 1.0.1 and 1.0.0. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k. OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p. This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also provided an initial patch. Further analysis was performed by Matt Caswell of the OpenSSL development team, who also developed the final patch. no-ssl3 configuration sets method to NULL (CVE-2014-3569) ========================================================= Severity: Low When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The fix was developed by Kurt Roeckx. ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) ========================================================== Severity: Low An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) ============================================================== Severity: Low An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. DH client certificates accepted without verification [Server] (CVE-2015-0205) ============================================================================= Severity: Low An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered. This issue affects OpenSSL versions: 1.0.1 and 1.0.0. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. Certificate fingerprints can be modified (CVE-2014-8275) ======================================================== Severity: Low OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certificate's fingerprint. This does not allow an attacker to forge certificates, and does not affect certificate verification or OpenSSL servers/clients in any other way. It also does not affect common revocation mechanisms. Only custom applications that rely on the uniqueness of the fingerprint (e.g. certificate blacklists) may be affected. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. One variant of this issue was discovered by Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program and reported to OpenSSL on 1st December 2014 by NCSC-FI Vulnerability Co-ordination. Another variant was independently reported to OpenSSL on 12th December 2014 by Konrad Kraszewski from Google. Further analysis was conducted and fixes were developed by Stephen Henson of the OpenSSL core team. Bignum squaring may produce incorrect results (CVE-2014-3570) ============================================================= Severity: Low Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. The following has been determined: *) The probability of BN_sqr producing an incorrect result at random is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and 1/2^128 on affected 64-bit platforms. *) On most platforms, RSA follows a different code path and RSA operations are not affected at all. For the remaining platforms (e.g. OpenSSL built without assembly support), pre-existing countermeasures thwart bug attacks [1]. *) Static ECDH is theoretically affected: it is possible to construct elliptic curve points that would falsely appear to be on the given curve. However, there is no known computationally feasible way to construct such points with low order, and so the security of static ECDH private keys is believed to be unaffected. *) Other routines known to be theoretically affected are modular exponentiation, primality testing, DSA, RSA blinding, JPAKE and SRP. No exploits are known and straightforward bug attacks fail - either the attacker cannot control when the bug triggers, or no private key material is involved. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille (Blockstream) who also suggested an initial fix. Further analysis was conducted by the OpenSSL development team and Adam Langley of Google. The final fix was developed by Andy Polyakov of the OpenSSL core team. [1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv_20150108.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openssl security update Advisory ID: RHSA-2015:0066-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0066.html Issue date: 2015-01-20 Updated on: 2015-01-21 CVE Names: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572 CVE-2014-8275 CVE-2015-0204 CVE-2015-0205 CVE-2015-0206 ===================================================================== 1. Summary: Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Datagram Transport Layer Security (DTLS) protocols, as well as a full-strength, general purpose cryptography library. A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote attacker could send a specially crafted DTLS message, which would cause an OpenSSL server to crash. A remote attacker could send multiple specially crafted DTLS messages to exhaust all available memory of a DTLS server. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. (CVE-2014-3570) It was discovered that OpenSSL would perform an ECDH key exchange with a non-ephemeral key even when the ephemeral ECDH cipher suite was selected. An attacker could use these flaws to modify an X.509 certificate to produce a certificate with a different fingerprint without invalidating its signature, and possibly bypass fingerprint-based blacklisting in applications. (CVE-2015-0205) All OpenSSL users are advised to upgrade to these updated packages, which contain a backported patch to mitigate the above issues. For the update to take effect, all services linked to the OpenSSL library (such as httpd and other SSL-enabled services) must be restarted or the system rebooted. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1180184 - CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites 1180185 - CVE-2014-3572 openssl: ECDH downgrade bug fix 1180187 - CVE-2014-8275 openssl: Fix various certificate fingerprint issues 1180234 - CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record 1180235 - CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record 1180239 - CVE-2015-0205 openssl: DH client certificates accepted without verification 1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: openssl-1.0.1e-30.el6_6.5.src.rpm i386: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm x86_64: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-perl-1.0.1e-30.el6_6.5.i686.rpm openssl-static-1.0.1e-30.el6_6.5.i686.rpm x86_64: openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: openssl-1.0.1e-30.el6_6.5.src.rpm x86_64: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: openssl-1.0.1e-30.el6_6.5.src.rpm i386: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm ppc64: openssl-1.0.1e-30.el6_6.5.ppc.rpm openssl-1.0.1e-30.el6_6.5.ppc64.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.ppc.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm openssl-devel-1.0.1e-30.el6_6.5.ppc.rpm openssl-devel-1.0.1e-30.el6_6.5.ppc64.rpm s390x: openssl-1.0.1e-30.el6_6.5.s390.rpm openssl-1.0.1e-30.el6_6.5.s390x.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.s390.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm openssl-devel-1.0.1e-30.el6_6.5.s390.rpm openssl-devel-1.0.1e-30.el6_6.5.s390x.rpm x86_64: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-perl-1.0.1e-30.el6_6.5.i686.rpm openssl-static-1.0.1e-30.el6_6.5.i686.rpm ppc64: openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm openssl-perl-1.0.1e-30.el6_6.5.ppc64.rpm openssl-static-1.0.1e-30.el6_6.5.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm openssl-perl-1.0.1e-30.el6_6.5.s390x.rpm openssl-static-1.0.1e-30.el6_6.5.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: openssl-1.0.1e-30.el6_6.5.src.rpm i386: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm x86_64: openssl-1.0.1e-30.el6_6.5.i686.rpm openssl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-devel-1.0.1e-30.el6_6.5.i686.rpm openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm openssl-perl-1.0.1e-30.el6_6.5.i686.rpm openssl-static-1.0.1e-30.el6_6.5.i686.rpm x86_64: openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm Red Hat Enterprise Linux Client (v. 7): Source: openssl-1.0.1e-34.el7_0.7.src.rpm x86_64: openssl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-libs-1.0.1e-34.el7_0.7.i686.rpm openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-devel-1.0.1e-34.el7_0.7.i686.rpm openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-static-1.0.1e-34.el7_0.7.i686.rpm openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: openssl-1.0.1e-34.el7_0.7.src.rpm x86_64: openssl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-libs-1.0.1e-34.el7_0.7.i686.rpm openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-devel-1.0.1e-34.el7_0.7.i686.rpm openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-static-1.0.1e-34.el7_0.7.i686.rpm openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: openssl-1.0.1e-34.el7_0.7.src.rpm ppc64: openssl-1.0.1e-34.el7_0.7.ppc64.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm openssl-devel-1.0.1e-34.el7_0.7.ppc.rpm openssl-devel-1.0.1e-34.el7_0.7.ppc64.rpm openssl-libs-1.0.1e-34.el7_0.7.ppc.rpm openssl-libs-1.0.1e-34.el7_0.7.ppc64.rpm s390x: openssl-1.0.1e-34.el7_0.7.s390x.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm openssl-devel-1.0.1e-34.el7_0.7.s390.rpm openssl-devel-1.0.1e-34.el7_0.7.s390x.rpm openssl-libs-1.0.1e-34.el7_0.7.s390.rpm openssl-libs-1.0.1e-34.el7_0.7.s390x.rpm x86_64: openssl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-devel-1.0.1e-34.el7_0.7.i686.rpm openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm openssl-libs-1.0.1e-34.el7_0.7.i686.rpm openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm openssl-perl-1.0.1e-34.el7_0.7.ppc64.rpm openssl-static-1.0.1e-34.el7_0.7.ppc.rpm openssl-static-1.0.1e-34.el7_0.7.ppc64.rpm s390x: openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm openssl-perl-1.0.1e-34.el7_0.7.s390x.rpm openssl-static-1.0.1e-34.el7_0.7.s390.rpm openssl-static-1.0.1e-34.el7_0.7.s390x.rpm x86_64: openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-static-1.0.1e-34.el7_0.7.i686.rpm openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: openssl-1.0.1e-34.el7_0.7.src.rpm x86_64: openssl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-devel-1.0.1e-34.el7_0.7.i686.rpm openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm openssl-libs-1.0.1e-34.el7_0.7.i686.rpm openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm openssl-static-1.0.1e-34.el7_0.7.i686.rpm openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3570 https://access.redhat.com/security/cve/CVE-2014-3571 https://access.redhat.com/security/cve/CVE-2014-3572 https://access.redhat.com/security/cve/CVE-2014-8275 https://access.redhat.com/security/cve/CVE-2015-0204 https://access.redhat.com/security/cve/CVE-2015-0205 https://access.redhat.com/security/cve/CVE-2015-0206 https://access.redhat.com/security/updates/classification/#moderate https://www.openssl.org/news/secadv_20150108.txt 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUwCWMXlSAg2UNWIIRAioBAJ4/RjG4OGXzCwg+PJJWNqyvahe3rQCeNE+X ENFobdxQdJ+gVAiRe8Qf54A= =wyAg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . References: CVE-2014-8275 Cryptographic Issues (CWE-310) CVE-2014-3569 Remote Denial of Service (DoS) CVE-2014-3570 Cryptographic Issues (CWE-310) CVE-2014-3571 Remote Denial of Service (DoS) CVE-2014-3572 Cryptographic Issues (CWE-310) CVE-2015-0204 Cryptographic Issues (CWE-310) SSRT101885 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The updates are available from either of the following sites: ftp://sl098ze:Secure12@h2.usa.hp.com https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =OPENSSL11I HP-UX Release HP-UX OpenSSL depot name B.11.11 (11i v1) OpenSSL_A.00.09.08ze.001_HP-UX_B.11.11_32_64.depot B.11.23 (11i v2) OpenSSL_A.00.09.08ze.002_HP-UX_B.11.23_IA-PA.depot B.11.31 (11i v3) OpenSSL_A.00.09.08ze.003_HP-UX_B.11.31_IA-PA.depot MANUAL ACTIONS: Yes - Update Install OpenSSL A.00.09.08ze or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant

AFFECTED PRODUCTS