(IBM Issues Fix for AIX) OpenSSL Record Processing Bug Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1024030 |
|
SecurityTracker URL: http://securitytracker.com/id/1024030
|
|
CVE Reference:
CVE-2010-0740
(Links to External Site)
|
Date: May 26 2010
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.9.8f through 0.9.8m
|
Description:
A vulnerability was reported in OpenSSL. A remote user can cause denial of service conditions.
A remote user can send a specially crafted record to cause the target service to crash.
The vulnerability resides in 'ssl/s3_pkt.c'.
Bodo Moeller and Adam Langley (Google) reported this vulnerability.
|
Impact:
A remote user can cause the target service to crash.
|
Solution:
IBM has issued a fix for AIX.
The IBM advisory is available at:
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
|
Vendor URL: openssl.org/news/secadv_20100324.txt (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (AIX)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 26 May 2010 19:53:01 +0000
Subject: OpenSSL AIX
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Fri May 21 10:09:57 CDT 2010
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
VULNERABILITY SUMMARY
VULNERABILITY: "Record of death" vulnerability
PLATFORMS: AIX 5.3, 6.1, and earlier releases
SOLUTION: Apply the fix as described below.
THREAT: See below
CVE Numbers: CVE-2009-3245
CVE-2010-0433
CVE-2010-0740
DETAILED INFORMATION
I. DESCRIPTION (from cve.mitre.org)
"In TLS connections, certain incorrectly formatted records can cause
an OpenSSL client or server to crash due to a read attempt at NULL."
"OpenSSL before 0.9.8m does not check for a NULL return value from
bn_wexpand function calls in (1) crypto/bn/bn_div.c,
(2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/
e_ubsec.c, which has unspecified impact and context-dependent attack
vectors."
"The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL
before 0.9.8n, when Kerberos is enabled but Kerberos configuration
files cannot be opened, does not check a certain return value, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via SSL cipher negotiation, as
demonstrated by a chroot installation of Dovecot or stunnel without
Kerberos configuration files inside the chroot."
"The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
through 0.9.8m allows remote attackers to cause a denial of service
(crash) via a malformed record in a TLS connection that triggers a
NULL pointer dereference, related to the minor version number."
Please see the following for more information:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
http://cvs.openssl.org/chngview?cn=19307
http://cvs.openssl.org/chngview?cn=19374
http://www.openssl.org/news/secadv_20100324.txt
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L openssl.base
The following fileset levels are vulnerable:
AIX 6.1 and 5.3: all versions less than or equal 0.9.8.1103
AIX 6.1 and 5.3: FIPS capable versions less than or equal 12.9.8.1103
AIX 5.2: all versions less than or equal 0.9.8.806
IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
5.0 or later when updating OpenSSL.
AIX OpenSSH can be downloaded from:
http://sourceforge.net/projects/openssh-aix
III. FIXES
A fix is available, and it can be downloaded from:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
To extract the fixes from the tar file:
zcat openssl.0.9.8.1103.tar.Z | tar xvf -
or
zcat openssl-fips.12.9.8.1103.tar.Z | tar xvf -
or
zcat openssl.0.9.8.806.tar.Z | tar xvf -
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview the fix installation:
installp -apYd . openssl
To install the fix package:
installp -aXYd . openssl
IV. WORKAROUNDS
There are no workarounds.
V. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www.ibm.com/systems/support
and click on the "My notifications" link.
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt
C. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFL9vnK4fmd+Ci/qhIRAsfoAKCgQsjkQinwoB55jqCj8V307XpY5ACcDU2l
AY4tlnbIrcSwyQot9rQRlwg=
=cuVl
-----END PGP SIGNATURE-----
|
|
