Date: Fri, 21 Mar 2003 12:52:34 -0800 (PST)
From: FreeBSD Security Advisories <security-advisories@freebsd.org.>
To: Bugtraq <bugtraq@securityfocus.com.>
Subject: FreeBSD Security Advisory FreeBSD-SA-03:06.openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD-SA-03:06.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL timing-based SSL/TLS attack
Category: crypto
Module: openssl
Announced: 2003-03-21
Credits: Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
Affects: All FreeBSD versions prior to 4.6-RELEASE-p12,
4.7-RELEASE-p9, 5.0-RELEASE-p6
Corrected: 2003-03-20 21:07:20 UTC (RELENG_4)
2003-03-21 16:12:34 UTC (RELENG_4_7)
2003-03-21 16:12:03 UTC (RELENG_4_6)
2003-03-21 16:13:06 UTC (RELENG_5_0)
FreeBSD only: NO
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.
II. Problem Description
This advisory addresses two separate flaws recently fixed in OpenSSL:
(1) an RSA timing attack, and (2) the Klima-Pokorny-Rosa attack.
- - - From the OpenSSL Project advisories (see references):
(1) Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been
turned on.
(2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on
RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.
Their attack requires the attacker to open millions of SSL/TLS
connections to the server under attack; the server's behaviour
when faced with specially made-up RSA ciphertexts can reveal
information that in effect allows the attacker to perform a single
RSA private key operation on a ciphertext of its choice using the
server's RSA key. Note that the server's RSA key is not
compromised in this attack.
III. Impact
RSA timing attack:
An RSA private key may be compromised.
Klima-Pokorny-Rosa attack:
A vulnerable server, when faced with specially made-up RSA
ciphertexts, can reveal information that in effect allows the
attacker to perform a single RSA private key operation on a
ciphertext of its choice using the server's RSA key. Note that the
server's RSA key is not compromised in this attack.
IV. Workaround
RSA timing attack:
Disable the use of RSA or enable RSA blinding in OpenSSL using the
RSA_blinding_on() function. The method of adjusting the list of
acceptable ciphersuites varies from application to application. See
the application's documentation for details.
Klima-Pokorny-Rosa attack:
Disable the use of ciphersuites which use PKCS #1 v1.5 padding in SSL
or TLS. The method of adjusting the list of acceptable ciphersuites
varies from application to application. See the application's
documentation for details.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p9), RELENG_4_6 (4.6-RELEASE-p12), or RELENG_5_0
(5.0-RELEASE-p6) security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.6, 4.7,
and 5.0 systems which have already been patched for the issues resolved
in FreeBSD-SA-03:02.openssl.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.
Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Patch
- -------------------------------------------------------------------------
RELENG_4
src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.6
src/crypto/openssl/crypto/rsa/rsa_lib.c 1.2.2.7
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.7
RELENG_4_6
src/UPDATING 1.73.2.68.2.39
src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.2.6.3
src/crypto/openssl/crypto/rsa/rsa_lib.c 1.2.2.3.6.2
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.3.6.3
src/sys/conf/newvers.sh 1.44.2.23.2.29
RELENG_4_7
src/UPDATING 1.73.2.74.2.11
src/crypto/openssl/crypto/rsa/rsa_eay.c 1.2.4.3.2.2
src/crypto/openssl/crypto/rsa/rsa_lib.c 1.2.2.4.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.1.2.5.2.1
src/sys/conf/newvers.sh 1.44.2.26.2.11
RELENG_5_0
src/UPDATING 1.229.2.11
src/crypto/openssl/crypto/rsa/rsa_eay.c 1.8.2.2
src/crypto/openssl/crypto/rsa/rsa_lib.c 1.6.2.2
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.9.2.2
src/sys/conf/newvers.sh 1.6.2.2
- -------------------------------------------------------------------------
VII. References
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 >
<URL: http://eprint.iacr.org/2003/052/ >
<URL: http://www.openssl.org/news/secadv_20030317.txt >
<URL: http://www.openssl.org/news/secadv_20030319.txt >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)
Comment: FreeBSD: The Power To Serve
iD8DBQE+e3s9FdaIBMps37IRAufUAKCTht2X617uI3AB8G/RnRLNvmuFUwCffDNW
wMVBJ2SE2dSq6JcNdCFT9jA=
=PBbA
-----END PGP SIGNATURE-----