(IBM Issues Fix for AIX) OpenSSL Record Processing Bug Lets Remote Users Deny Service
SecurityTracker Alert ID: 1024030|
SecurityTracker URL: http://securitytracker.com/id/1024030
(Links to External Site)
Date: May 26 2010
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 0.9.8f through 0.9.8m|
A vulnerability was reported in OpenSSL. A remote user can cause denial of service conditions.|
A remote user can send a specially crafted record to cause the target service to crash.
The vulnerability resides in 'ssl/s3_pkt.c'.
Bodo Moeller and Adam Langley (Google) reported this vulnerability.
A remote user can cause the target service to crash.|
IBM has issued a fix for AIX.|
The IBM advisory is available at:
Vendor URL: openssl.org/news/secadv_20100324.txt (Links to External Site)
Access control error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Wed, 26 May 2010 19:53:01 +0000|
Subject: OpenSSL AIX
-----BEGIN PGP SIGNED MESSAGE-----
IBM SECURITY ADVISORY
First Issued: Fri May 21 10:09:57 CDT 2010
The most recent version of this document is available here:
VULNERABILITY: "Record of death" vulnerability
PLATFORMS: AIX 5.3, 6.1, and earlier releases
SOLUTION: Apply the fix as described below.
THREAT: See below
CVE Numbers: CVE-2009-3245
I. DESCRIPTION (from cve.mitre.org)
"In TLS connections, certain incorrectly formatted records can cause
an OpenSSL client or server to crash due to a read attempt at NULL."
"OpenSSL before 0.9.8m does not check for a NULL return value from
bn_wexpand function calls in (1) crypto/bn/bn_div.c,
(2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/
e_ubsec.c, which has unspecified impact and context-dependent attack
"The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL
before 0.9.8n, when Kerberos is enabled but Kerberos configuration
files cannot be opened, does not check a certain return value, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via SSL cipher negotiation, as
demonstrated by a chroot installation of Dovecot or stunnel without
Kerberos configuration files inside the chroot."
"The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
through 0.9.8m allows remote attackers to cause a denial of service
(crash) via a malformed record in a TLS connection that triggers a
NULL pointer dereference, related to the minor version number."
Please see the following for more information:
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
lslpp -L openssl.base
The following fileset levels are vulnerable:
AIX 6.1 and 5.3: all versions less than or equal 0.9.8.1103
AIX 6.1 and 5.3: FIPS capable versions less than or equal 126.96.36.1993
AIX 5.2: all versions less than or equal 0.9.8.806
IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
5.0 or later when updating OpenSSL.
AIX OpenSSH can be downloaded from:
A fix is available, and it can be downloaded from:
To extract the fixes from the tar file:
zcat openssl.0.9.8.1103.tar.Z | tar xvf -
zcat openssl-fips.188.8.131.523.tar.Z | tar xvf -
zcat openssl.0.9.8.806.tar.Z | tar xvf -
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview the fix installation:
installp -apYd . openssl
To install the fix package:
installp -aXYd . openssl
There are no workarounds.
V. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
and click on the "My notifications" link.
To view previously issued advisories, please visit:
Comments regarding the content of this announcement can be
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
B. Download the key from our web page:
C. Download the key from a PGP Public Key Server. The key ID is:
Please contact your local IBM AIX support center for any
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
-----END PGP SIGNATURE-----