Updated OpenSSL Patch Presentation
I recorded an updated Internet Storm Center Briefing for today's OpenSSL patches. It corrects a couple of mistakes from this afternoon's live presentation and adds additional details to CVE-2014-0195.
More Details Regarding CVE-2014-0195 (DTLS arbitrary code execution)
HP's Zero Day Initiative released a few more details about this bug explaining the nature of the problem. It is actually remarkably similar to some of the IP fragmentation bug we have see in the past.
DTLS attempts to avoid IP fragmentation. But many SSL related messages contain data (for example certificates) that exceed common network MTUs. As a result, DTLS fragments the messages. Each message fragment contains 3 length related fields:
- Message size (Length) - this is the total size after reassembly. Should be same for all fragments
- Fragment Offset - where does this fragment fit in the original message.
- Fragment Length - how much data does this fragment contain.
If there is no fragmentation, the fragment length is equal to the message size. However, if the fragment length is less then the message size, we do have fragmentation. Each fragment should indicate the same message size.
This is different from IP. In IP, the fragment does not know how large the original package was, and we use the "more fragment" flag to figure out when all fragments are received.
Once OpenSSL receives a fragment, it allocates "Length" bytes to reassemble the entire message. However, the trick is that the next fragment may actually indicate a larger message size, and as a result, deliver more data then OpenSSL reserved, leading to a typical buffer overflow.
You can see the complete source code at HP's blog, including a Wireshark display of a PoC packet. This essentially provides a PoC for this vulnerability. Interestingly Wireshark does recognize this as an error.
[1] http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002#.U5C78BYXk2-
Â
(this is different, but sort of reminds me of the OpenBSD mbuf problem in IPv6, CVE-2007-1365)
Critical OpenSSL Patch Available. Patch Now!
[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well.
Quick Q&A Summary from the webcast:
- The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.
- The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)
- Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC
â??- Web servers (https) can not use DTLS.
- OpenVPN's "auth-tls" feature will likely mitigate all these vulnerabilities
- Even if you use "commercial software", it may still use OpenSSL.
Â
---------
The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]
All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs... not so much HTTPS).
I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .
CVE-2010-5298 does allow third parties to inject data into existing SSL connections. This could be a big deal, but according to the OpenSSL advisory, the SSL_MODE_RELEASE_BUFFERS feature is usually not enabled.
Make sure you update to one of these OpenSSL versions:
OpenSSL 0.9.8za (openssl ran out of letters, so instead of calling this one 'z' they call it 'za' to allow for future releases. However, this *may* be the last 0.9.8 release).
OpenSSL 1.0.0m
OpenSSL 1.0.1h
CVE | Name | Impact | Vulnerable Versions | Client | Server |
CVE-2014-0224 | SSL/TLS MITM Vulnerability | MiTM | Server: 1.0.1, Client: 0.9.8,1.0.0,1.0.1 (both have to be vulnerable) | Critical | Important |
CVE-2014-0221 | DTLS recursion flaw | DoS | 0.9.8,1.0.0,1.0.1 | Important | Not Affected |
CVE-2014-0195 | DTLS invalid fragment vulnerability | Code Exec. | 0.9.8,1.0.0,1.0.1 | Critical | Critical |
CVE-2014-0198 | SSL_MODE_RELEASE_BUFFERS NULL pointer dereference | DoS | 1.0.0,1.0.1 (neither affected in default config) |
Important | Important |
CVE-2010-5298 | SSL_MODE_RELEASE_BUFFERS session injection | DoS or Data Injection | 1.0.0, 1.0.1 (in multithreaded applications, not in default config) |
Important | Important |
CVE-2014-3470 | Anonymous ECDH Denial of Service | DoS | 0.9.8, 1.0.0, 1.0.1 | Important | Not Affected |
Vendor Information:
Redhat | https://rhn.redhat.com/errata/RHSA-2014-0625.html https://rhn.redhat.com/errata/RHSA-2014-0626.html |
Ubuntu | http://www.ubuntu.com/usn/usn-2232-1/ |
FreeBSD | http://www.freebsd.org/security/advisories/FreeBSD-SA-14:14.openssl.asc |
Debian | http://www.debian.org/security/2014/dsa-2950 |
OpenSuse | http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00003.html |
Amazon AWS | http://aws.amazon.com/security/security-bulletins/openssl-security-advisory/ |
[1] https://www.openssl.org/news/secadv_20140605.txt
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago