Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Critical OpenSSL Patch Available. Patch Now! InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical OpenSSL Patch Available. Patch Now!

Published: 2014-06-05
Last Updated: 2014-06-05 21:08:24 UTC
by Johannes Ullrich (Version: 2)
11 comment(s)

[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well. 

Quick Q&A Summary from the webcast:

- The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.
- The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)
- Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC
??- Web servers (https) can not use DTLS.
- OpenVPN's "auth-tls" feature will likely mitigate all these vulnerabilities
- Even if you use "commercial software", it may still use OpenSSL.
 

---------

The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]

All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs... not so much HTTPS).

I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .

CVE-2010-5298 does allow third parties to inject data into existing SSL connections. This could be a big deal, but according to the OpenSSL advisory, the SSL_MODE_RELEASE_BUFFERS feature is usually not enabled. 

Make sure you update to one of these OpenSSL versions:

OpenSSL 0.9.8za   (openssl ran out of letters, so instead of calling this one 'z' they call it 'za' to allow for future releases. However, this *may* be the last 0.9.8 release).
OpenSSL 1.0.0m
OpenSSL 1.0.1h

CVE Name Impact Vulnerable Versions Client Server
CVE-2014-0224 SSL/TLS MITM Vulnerability MiTM Server: 1.0.1, Client: 0.9.8,1.0.0,1.0.1 (both have to be vulnerable) Critical Important
CVE-2014-0221 DTLS recursion flaw DoS 0.9.8,1.0.0,1.0.1 Important Not Affected
CVE-2014-0195 DTLS invalid fragment vulnerability Code Exec. 0.9.8,1.0.0,1.0.1 Critical Critical
CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference DoS 1.0.0,1.0.1
(neither affected in default config)
Important Important
CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection DoS or Data Injection 1.0.0, 1.0.1
(in multithreaded applications, not in default config)
Important Important
CVE-2014-3470 Anonymous ECDH Denial of Service DoS 0.9.8, 1.0.0, 1.0.1 Important Not Affected

Vendor Information:

Redhat https://rhn.redhat.com/errata/RHSA-2014-0625.html
https://rhn.redhat.com/errata/RHSA-2014-0626.html
Ubuntu http://www.ubuntu.com/usn/usn-2232-1/
FreeBSD http://www.freebsd.org/security/advisories/FreeBSD-SA-14:14.openssl.asc
Debian http://www.debian.org/security/2014/dsa-2950
OpenSuse http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00003.html
Amazon AWS http://aws.amazon.com/security/security-bulletins/openssl-security-advisory/

[1] https://www.openssl.org/news/secadv_20140605.txt

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: openssl
11 comment(s)
Diary Archives