Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Updates to OpenSSL fix vulnerabilities related to Logjam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updates to OpenSSL fix vulnerabilities related to Logjam

An OpenSSL security advisory issued earlier today on Thursday 2015-06-11 [1].  According to the advisory users should upgrade OpenSSL to fix vulnerabliities that could be exploited by a Logjam attack [2].

The issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

  • OpenSSL 1.0.2 users should upgrade to 1.0.2b
  • OpenSSL 1.0.1 users should upgrade to 1.0.1n
  • OpenSSL 1.0.0 users should upgrade to 1.0.0s
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zg

Related vulnerabilities from the announcement:

Of note, support for OpenSSL versions 1.0.0 and 0.9.8 will cease at the end of the year on 2015-12-31.  No security updates for 1.0.0 and 0.9.8 will be provided after that.  Users are advised to upgrade to the latest versions of 1.0.1 or 1.0.2.

References:

[1] http://openssl.org/news/secadv_20150611.txt
[2] https://weakdh.org/

Brad

303 Posts
ISC Handler
This improves, but does not fix the
client side as it sets the minimum
size DH group to 768 for clients
rather than 1024 or 2048.

Here the logic was modified to require
a minimum size DH group of 1024, patch
below.

One must still generate proper 2048 bit
or larger custom DH groups for servers
per the instructions at
https://weakdh.org/sysadmin.html


--- ssl/s3_clnt.c.ar 2015-06-11 09:50:11.000000000 -0400
+++ ssl/s3_clnt.c 2015-06-11 11:44:59.000000000 -0400
@@ -3558,12 +3558,11 @@
goto f_err;
dh_size = BN_num_bits(dh_srvr->p);
DH_free(dh_srvr);
}

- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+ if (dh_size < 1024) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
goto f_err;
}
}
#endif /* !OPENSSL_NO_DH */
Starlight

34 Posts Posts
This SSL change, pushed out by Ubuntu for 12.04 LTS breaks the Security Onion.
https://groups.google.com/forum/#!topic/security-onion/E7HdGGUuq6c
Anonymous
Posts
Looks like they quickly up-revved to 1.0.2c
12-Jun-2015: New releases to resolve ABI compatibility problems
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!