From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 Oct 2006 10:35:09 +0200
Subject: [NEWS] OpenSSL ASN.1 Parsing Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061001091447.1F921573A@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenSSL ASN.1 Parsing Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The OpenSSL project team is pleased to announce the release of version
0.9.8d of our open source toolkit for SSL/TLS. This new OpenSSL version is
a security and bugfix release and incorporates changes and bugfixes to the
toolkit. We also release 0.9.7l, which contains the security update and
bugfixes compared to 0.9.7k.
DETAILS
Dr. S. N. Henson recently developed an ASN.1 test suite for NISCC. When
the test suite was run against OpenSSL two denial of service
vulnerabilities were discovered:
1. During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory (CVE-2006-2937). (This issue did not affect OpenSSL
versions prior to 0.9.7)
2. Certain types of public key can take disproportionate amounts of time
to process. This could be used by an attacker in a denial of service
attack (CVE-2006-2940).
Any code which uses OpenSSL to parse ASN.1 data from untrusted sources is
affected. This includes SSL servers which enable client authentication and
S/MIME applications.
SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738)
A buffer overflow was discovered in the SSL_get_shared_ciphers() utility
function. An attacker could send a list of ciphers to an
application that uses this function and overrun a buffer (CVE-2006-3738).
Acknowledgements:
The OpenSSL team thank Tavis Ormandy and Will Drewry of the Google
Security Team for reporting this issue.
SSLv2 Client Crash (CVE-2006-4343)
A flaw in the SSLv2 client code was discovered. When a client application
used OpenSSL to create an SSLv2 connection to a malicious server, that
server could cause the client to crash (CVE-2006-4343).
Acknowledgements
The OpenSSL team thank Tavis Ormandy and Will Drewry of the Google
Security Team for reporting this issue.
Recommendations:
These vulnerabilities are resolved in the following versions of OpenSSL:
- in the 0.9.7 branch, version 0.9.7l (or later);
- in the 0.9.8 branch, version 0.9.8d (or later).
OpenSSL 0.9.8d and OpenSSL 0.9.7l are available for download via HTTP and
FTP from the following master locations (you can find the various FTP
mirrors under <http://www.openssl.org/source/mirror.html>;
http://www.openssl.org/source/mirror.html):
o <http://www.openssl.org/source/>; http://www.openssl.org/source/
o <ftp://ftp.openssl.org/source/>; ftp://ftp.openssl.org/source/
The distribution file names are:
o openssl-0.9.8d.tar.gz
MD5 checksum: 8ed1853538e1d05a1f5ada61ebf8bffa
SHA1 checksum: 4136fba00303a3d319d2052bfa8e1f09a2e12fc2
o openssl-0.9.7l.tar.gz
MD5 checksum: b21d6e10817ddeccf5fbe1379987333e
SHA1 checksum: f0e4136639b10cbd1227c4f7350ff7ad406e575d
The checksums were calculated using the following commands:
openssl md5 openssl-0.9*.tar.gz
openssl sha1 openssl-0.9*.tar.gz
After upgrading make sure to recompile any applications statically linked
to OpenSSL libraries and restart all applications that use
OpenSSL.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mark@awe.com.> Mark J Cox.
The original article can be found at:
<http://www.openssl.org/news/secadv_20060928.txt>;
http://www.openssl.org/news/secadv_20060928.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
