(NetBSD Issues Fix) OpenSSL Invalid TLS/DTLS Record Processing Lets Remote Users Deny Service
SecurityTracker Alert ID: 1027136|
SecurityTracker URL: http://securitytracker.com/id/1027136
(Links to External Site)
Date: Jun 8 2012
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to versions 0.9.8x, 1.0.0j, 1.0.1c|
A vulnerability was reported in OpenSSL. A remote user can cause denial of service conditions.|
A remote user can send specially crafted TLS/DTLS records to cause denial of service conditions.
The CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS are affected
Both clients and servers are affected.
DTLS is affected in all versions of OpenSSL.
TLS is affected in OpenSSL version 1.0.1 and later.
Codenomicon reported this vulnerability.
A remote user can cause denial of service conditions.|
NetBSD has issued a fix.|
The NetBSD advisory is available at:
Vendor URL: www.openssl.org/news/secadv_20120510.txt (Links to External Site)
Input validation error, State error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Fri, 08 Jun 2012 06:22:27 +0000|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2012-002
Topic: OpenSSL Invalid TLS/DTLS record attack
Version: NetBSD-current: source prior to May 12th, 2012
NetBSD 6.0 Beta: affected
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 5.1: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
Severity: remote DoS
Fixed: NetBSD-current: May 11th, 2012
NetBSD 6.0 Beta: May 22nd, 2012
NetBSD-5-0 branch: May 22nd, 2012
NetBSD-5-1 branch: May 22nd, 2012
NetBSD-5 branch: May 22nd, 2012
NetBSD-4-0 branch: May 22nd, 2012
NetBSD-4 branch: May 22nd, 2012
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.
TLS is thus affected in NetBSD-6 and -current.
This vulnerability has been assigned CVE-2012-2333
When receiving TLS or DTLS packets, OpenSSL first subtracts the
number of padding bytes from the record size. Next, it subtracts
the size of a data structure used to initialize CBC encryption modes;
in the vulnerable version without checking the remaining size of
the record, allowing to result in negative values that re-map into
rather large record size and consequently buffer over-read and
Solutions and Workarounds
Patch, recompile, and reinstall the library.
CVS branch Rev.
CVS branch Rev.
CVS branch Rev.
Thanks to Codenomicon for discovering and Stephen Henson of the
OpenSSL core team for fixing this issue.
2012-06-06 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2012, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2012-002.txt,v 1.2 2012/06/06 19:46:15 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----