Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updates to OpenSSL fix vulnerabilities related to Logjam

An OpenSSL security advisory issued earlier today on Thursday 2015-06-11 [1].  According to the advisory users should upgrade OpenSSL to fix vulnerabliities that could be exploited by a Logjam attack [2].

The issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

  • OpenSSL 1.0.2 users should upgrade to 1.0.2b
  • OpenSSL 1.0.1 users should upgrade to 1.0.1n
  • OpenSSL 1.0.0 users should upgrade to 1.0.0s
  • OpenSSL 0.9.8 users should upgrade to 0.9.8zg

Related vulnerabilities from the announcement:

Of note, support for OpenSSL versions 1.0.0 and 0.9.8 will cease at the end of the year on 2015-12-31.  No security updates for 1.0.0 and 0.9.8 will be provided after that.  Users are advised to upgrade to the latest versions of 1.0.1 or 1.0.2.

References:

[1] http://openssl.org/news/secadv_20150611.txt
[2] https://weakdh.org/

 Brad

423 Posts
ISC Handler
Jun 12th 2015
Thread locked Subscribe Jun 12th 2015
6 years ago
This improves, but does not fix the
client side as it sets the minimum
size DH group to 768 for clients
rather than 1024 or 2048.

Here the logic was modified to require
a minimum size DH group of 1024, patch
below.

One must still generate proper 2048 bit
or larger custom DH groups for servers
per the instructions at
https://weakdh.org/sysadmin.html


--- ssl/s3_clnt.c.ar 2015-06-11 09:50:11.000000000 -0400
+++ ssl/s3_clnt.c 2015-06-11 11:44:59.000000000 -0400
@@ -3558,12 +3558,11 @@
goto f_err;
dh_size = BN_num_bits(dh_srvr->p);
DH_free(dh_srvr);
}

- if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
- || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
+ if (dh_size < 1024) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
goto f_err;
}
}
#endif /* !OPENSSL_NO_DH */
 Starlight

34 Posts
Quote Jun 11th 2015
6 years ago
This SSL change, pushed out by Ubuntu for 12.04 LTS breaks the Security Onion.
https://groups.google.com/forum/#!topic/security-onion/E7HdGGUuq6c
 Anonymous
Quote Jun 12th 2015
6 years ago
Looks like they quickly up-revved to 1.0.2c
12-Jun-2015: New releases to resolve ABI compatibility problems
 Anonymous
Quote Jun 14th 2015
6 years ago

Sign Up for Free or Log In to start participating in the conversation!