Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: OpenSSL Patch Released - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL Patch Released

As pre-announced, OpenSSL today released an update fixing 14 security flaws [1]. The good news: The only "high" vulnerability is present in the recently release version 1.0.2, which as far as I know is not yet used in any major operating system. But numerous of the "medium" vulnerabilities do have code execution potential (e.g. "memory corruption" issues), so do not delay patching too much. To answer your boss's first question: "No. This is not as bad as heartbleed".

This update affects all versions of SSL back to 0.9.8. See the table below for exact version numbers

Major Version Last Vulnerable Patched Max. Severity OS/Linux Distro Affected
1.0.2 1.0.2 1.0.2a high  
1.0.1 1.0.1l 1.0.1m moderate Ubuntu 14, CentOS 6, CentOS 6, 
RHEL 6, RHEL 7, OS X 10.10
1.0.0 (End of Live Dec 2015) 1.0.0q 1.0.0r moderate Ubuntu 12
0.9.8 (End of Live Dec 2015) 0.9.8ze 0.9.8zf moderate CentOS 5, RHEL 5

(the list of operating systems / linux distributions attempts to capture major versions and is not complete)

Summary of vulnerabilities

For many of the announcements, the impact is not clearly stated. Also note that some vulnerabilities only apply to stand alone scripts (e.g. during signing / encrypting files or verifying certificates loaded from files) and not to network clients or servers. 

CVE Description Impact OpenSSL Versions Affected Rating Server/ Client
CVE-2015-0291 ClientHello sigalgs DoS DoS 1.0.2 High Server
CVE-2015-0204 RSA silently downgrades to EXPORT_RSA (FREAK).
[this is a re-release to adjust rating from low to high, not a new issue]
MitM 1.0.1, 1.0.0, 0.9.8 High Server/Client
CVE-2015-0290 Multiblock corrupted pointer (64bit x86 CPUs that support AES NI instructions) DoS 1.0.2 Moderate Server/Client
CVE-2015-0207 Segmentation fault in DTLSv1_listen DoS 1.0.2 Moderate Server
CVE-2015-0286 Segmentation fault in ASN1_TYPE_cmp DoS 1.0.2, 1.0.1,1.0.0, 0.9.8 Moderate Server/Client
CVE-2015-0208 Segmentation fault for invalid PSS parameters DoS 1.0.2 Moderate Server/Client
CVE-2015-0287 ASN.1 structure reuse memory corruption ? 1.0.2, 1.0.1, 1.0.0, 0.9.8 Moderate neither
CVE-2015-0289 PKCS7 NULL Pointer dereferences ? 1.0.2, 1.0.1, 1.0.0, 0.9.8 Moderate Server/Client
CVE-2015-0292 Base64 decode ? 1.0.1, 1.0.0, 0.9.8 Moderate ?
CVE-2015-0293 DoS via reachable assert in SSLv2 servers DoS 1.0.2, 1.0.1, 1.0.0, 0.9.8 Moderate Server
CVE-2015-1787 Empty CKE with client auth and DHE DoS 1.0.2 Moderate Server
CVE-2015-0285 Handshake with unseeded PRNG confidentiality 1.0.2 Low Client
CVE-2015-0209 Use After Free following d2i_ECPrivatekey error DoS 1.0.2, 1.0.1, 1.0.0, 0.9.8 Low ?
CVE-2015-0288 X509_to_X509_REQ NULL pointer deref DoS 1.0.2, 1.0.1, 1.0.0, 0.9.8 Low ?

 

[1] https://www.openssl.org/news/secadv_20150319.txt

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

3297 Posts
ISC Handler
CVE-2015-0204 is also classified as "High" and affects 1.0.1, 1.0.0 and 0.9.8
beamer

10 Posts Posts
We're all in the midst of doing these M$ batch-of-patches for March that gets us to use TSL, so I'm missing something here: why am I still caring about SSL updates?
:-|
.
PC.Tech

34 Posts Posts
Because of this:

Welcome to the OpenSSL Project
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

quoted directly from http://openssl.org/
CyberShanks-old....

3 Posts Posts
OpenSSL also provides support for TLS, i know, confusing :)
beamer

10 Posts Posts
If CVE-2015-0204 is now classified as High, should the top table also indicate High as the Max. Severity?
beamer
1 Posts Posts
Quoting PC.Tech:We're all in the midst of doing these M$ batch-of-patches for March that gets us to use TSL, so I'm missing something here: why am I still caring about SSL updates?
:-|
.


OpenSSL is a library that implements SSL as well as TLS. So don't let the name fool you.
Johannes

3297 Posts Posts
ISC Handler
Recommended reads:

- https://www.ssllabs.com/

- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/03/top-10-vulnerabilities--february-2015

... I get the feeling the process/changeover/implementation has a -long- way to go.

:-|

.
PC.Tech

34 Posts Posts
Question: is 0.9.7 vulnerable?
(and yes I understand that it is EOS)
PC.Tech
5 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!