Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-03-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenSSL Patch Released

Published: 2015-03-19
Last Updated: 2015-03-19 15:07:27 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

As pre-announced, OpenSSL today released an update fixing 14 security flaws [1]. The good news: The only "high" vulnerability is present in the recently release version 1.0.2, which as far as I know is not yet used in any major operating system. But numerous of the "medium" vulnerabilities do have code execution potential (e.g. "memory corruption" issues), so do not delay patching too much. To answer your boss's first question: "No. This is not as bad as heartbleed".

This update affects all versions of SSL back to 0.9.8. See the table below for exact version numbers

Major Version Last Vulnerable Patched Max. Severity OS/Linux Distro Affected
1.0.2 1.0.2 1.0.2a high  
1.0.1 1.0.1l 1.0.1m moderate Ubuntu 14, CentOS 6, CentOS 6, 
RHEL 6, RHEL 7, OS X 10.10
1.0.0 (End of Live Dec 2015) 1.0.0q 1.0.0r moderate Ubuntu 12
0.9.8 (End of Live Dec 2015) 0.9.8ze 0.9.8zf moderate CentOS 5, RHEL 5

(the list of operating systems / linux distributions attempts to capture major versions and is not complete)

Summary of vulnerabilities

For many of the announcements, the impact is not clearly stated. Also note that some vulnerabilities only apply to stand alone scripts (e.g. during signing / encrypting files or verifying certificates loaded from files) and not to network clients or servers. 

CVE Description Impact OpenSSL Versions Affected Rating Server/ Client
CVE-2015-0291 ClientHello sigalgs DoS DoS 1.0.2 High Server
CVE-2015-0204 RSA silently downgrades to EXPORT_RSA (FREAK).
[this is a re-release to adjust rating from low to high, not a new issue]
MitM 1.0.1, 1.0.0, 0.9.8 High Server/Client
CVE-2015-0290 Multiblock corrupted pointer (64bit x86 CPUs that support AES NI instructions) DoS 1.0.2 Moderate Server/Client
CVE-2015-0207 Segmentation fault in DTLSv1_listen DoS 1.0.2 Moderate Server
CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp DoS 1.0.2, 1.0.1,1.0.0, 0.9.8 Moderate Server/Client
CVE-2015-0208 Segmentation fault for invalid PSS parameters DoS 1.0.2 Moderate Server/Client
CVE-2015-0287 ASN.1 structure reuse memory corruption ? 1.0.2, 1.0.1, 1.0.0, 0.9.8 Moderate neither
CVE-2015-0289 PKCS7 NULL Pointer dereferences ? 1.0.2, 1.0.1, 1.0.0, 0.9.8 Moderate Server/Client
CVE-2015-0292 Base64 decode ? 1.0.1, 1.0.0, 0.9.8 Moderate ?
CVE-2015-0293 DoS via reachable assert in SSLv2 servers DoS 1.0.2, 1.0.1, 1.0.0, 0.9.8 Moderate Server
CVE-2015-1787 Empty CKE with client auth and DHE DoS 1.0.2 Moderate Server
CVE-2015-0285 Handshake with unseeded PRNG confidentiality 1.0.2 Low Client
CVE-2015-0209 Use After Free following d2i_ECPrivatekey error DoS 1.0.2, 1.0.1, 1.0.0, 0.9.8 Low ?
CVE-2015-0288 X509_to_X509_REQ NULL pointer deref DoS 1.0.2, 1.0.1, 1.0.0, 0.9.8 Low ?

 

[1] https://www.openssl.org/news/secadv_20150319.txt

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
8 comment(s)
Diary Archives