SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(IBM Issues Fix for AIX) OpenSSL Buffer Overflow in TLS Server Extension Parsing May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1026281
SecurityTracker URL:  http://securitytracker.com/id/1026281
CVE Reference:   CVE-2010-3864   (Links to External Site)
Date:  Nov 5 2011
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.8f through 0.9.8o; also 1.0.0, 1.0.0a
Description:   A vulnerability was reported in OpenSSL. A remote user can cause denial of service conditions. A remote user may be able to execute arbitrary code on the target system.

A remote user can send specially crafted data to exploit a TLS extension parsing race condition and trigger a buffer overflow, causing the target service to crash or potentially execute arbitrary code.

Multi-threaded TLS server applications that use OpenSSL's internal caching mechanism are affected.

The Apache HTTP server and Stunnel are not affected.

Rob Hulswit reported this vulnerability.
Impact:   A remote user may be able to execute arbitrary code on the target system.

A remote user can cause denial of service conditions.
Solution:   IBM has issued a fix for AIX.

The IBM advisory is available at:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
Vendor URL:  www.openssl.org/news/secadv_20101116.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (AIX)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 16 2010 OpenSSL Buffer Overflow in TLS Server Extension Parsing May Let Remote Users Execute Arbitrary Code


 Source Message Contents
Date:  Sat, 05 Nov 2011 04:10:51 +0000
Subject:  IBM AIX


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Nov 4 15:00:40 CDT 2011

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc

VULNERABILITY SUMMARY

VULNERABILITY: Multiple OpenSSL vulnerabilities

PLATFORMS: AIX 5.3, 6.1, 7.1, and earlier releases

SOLUTION: Apply the fix as described below.

THREAT: See below

CVE Numbers: CVE-2011-0014
CVE-2010-3864
CVE-2010-4180

DETAILED INFORMATION

I. DESCRIPTION (from cve.mitre.org)

ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c
allows remote attackers to cause a denial of service (crash), and possibly
obtain sensitive information in applications that use OpenSSL, via a mal-
formed ClientHello handshake message that triggers an out-of-bounds memory
access, aka "OCSP stapling vulnerability."

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o,
1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on
a TLS server, might allow remote attackers to execute arbitrary code via
client data that triggers a heap-based buffer overflow, related to (1) the
TLS server name extension and (2) elliptic curve cryptography.

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly
prevent modification of the ciphersuite in the session cache, which allows
remote attackers to force the downgrade to an unintended cipher via vectors
involving sniffing network traffic to discover a session identifier.

Please see the following for more information:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://www.openssl.org/news/secadv_20110208.txt
http://www.openssl.org/news/secadv_20101116.txt
http://www.openssl.org/news/secadv_20101202.txt

II. PLATFORM VULNERABILITY ASSESSMENT

To determine if your system is vulnerable, execute the following
command:

lslpp -L openssl.base

The following fileset levels are vulnerable:

AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1103
AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1103
AIX 5.2: all versions less than or equal 0.9.8.806

IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
5.0 or later when updating OpenSSL.

AIX OpenSSH can be downloaded from:

http://sourceforge.net/projects/openssh-aix

III. FIXES

A fix is available, and it can be downloaded from:

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

To extract the fixes from the tar file:

zcat openssl.0.9.8.1302.tar.Z | tar xvf -
or
zcat openssl-fips.12.9.8.1302.tar.Z | tar xvf -
or
zcat openssl.0.9.8.808.tar.Z | tar xvf -

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.

To preview the fix installation:

installp -apYd . openssl

To install the fix package:

installp -aXYd . openssl

IV. WORKAROUNDS

There are no workarounds.

V. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

http://www.ibm.com/systems/support

and click on the "My notifications" link.

To view previously issued advisories, please visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be
directed to:

security-alert@austin.ibm.com

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

A. Send an email with "get key" in the subject line to:

security-alert@austin.ibm.com

B. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

C. Download the key from a PGP Public Key Server. The key ID is:

      0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFOtESp4fmd+Ci/qhIRAk4mAKCVeYi4ZAuUh1bgORbS+MZ8XeJk7gCghT3n
QNKg6/nkF/BHUihPfsxcsio=
=DWqt
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC