[arch-security] [ASA-201501-2] openssl: multiple issues

Fri Jan 9 20:39:00 UTC 2015

Arch Linux Security Advisory ASA-201501-2
=========================================

Severity: High
Date    : 2015-01-09
CVE-ID  : CVE-2014-3571 CVE-2015-0206 CVE-2014-3569 CVE-2014-3572
          CVE-2015-0204 CVE-2015-0205 CVE-2014-8275 CVE-2014-3570
Package : openssl
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package openssl before version 1.0.1.k-1 is vulnerable to multiple
issues, including but not limited to denial of service, cipher
downgrade, certificate verification bypass and certificate fingerprint
modification.

Resolution
==========

Upgrade to 1.0.1.k-1.

# pacman -Syu "openssl>=1.0.1.k-1"

The problems have been fixed upstream in version 1.0.1.k.

Workaround
==========

None.

Description
===========

- CVE-2014-3571 (denial of service)
A remote attacker is able to cause a denial of service (NULL pointer
dereference and application crash) via a crafted DTLS message that is
processed with a different read operation for the handshake header than
for the handshake body, related to the dtls1_get_record function in
d1_pkt.c and the ssl3_read_n function in s3_pkt.c.

- CVE-2015-0206 (denial of service)
A memory leak can occur in the dtls1_buffer_record function under
certain conditions. In particular this could occur if an attacker sent
repeated DTLS records with the same sequence number but for the next
epoch. The memory leak could be exploited by an attacker in a denial of
service attack through memory exhaustion.

- CVE-2014-3569 (denial of service)
The ssl23_get_client_hello function in s23_srvr.c does not properly
handle attempts to use unsupported protocols, which allows remote
attackers to cause a denial of service (NULL pointer dereference and
daemon crash) via an unexpected handshake, as demonstrated by an SSLv3
handshake to a no-ssl3 application with certain error handling.

- CVE-2014-3572 (cipher downgrade)
An OpenSSL client will accept a handshake using an ephemeral ECDH
ciphersuite using an ECDSA certificate if the server key exchange
message is omitted. This effectively removes forward secrecy from the
ciphersuite.

- CVE-2015-0204 (cipher downgrade)
The ssl3_get_key_exchange function in s3_clnt.c allows remote SSL
servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role.

- CVE-2015-0205 (certificate verification bypass)
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client
to authenticate without the use of a private key. This only affects
servers which trust a client certificate authority which issues
certificates containing DH keys.

- CVE-2014-8275 (certificate fingerprint modification)
OpenSSL accepts several non-DER-variations of certificate signature
algorithm and signature encodings. OpenSSL also does not enforce a match
between the signature algorithm between the signed and unsigned portions
of the certificate. By modifying the contents of the signature algorithm
or the encoding of the signature, it is possible to change the
certificate's fingerprint.
This does not allow an attacker to forge certificates, and does not
affect certificate verification or OpenSSL servers/clients in any other
way. It also does not affect common revocation mechanisms. Only custom
applications that rely on the uniqueness of the fingerprint (e.g.
certificate blacklists) may be affected.

- CVE-2014-3570 (bignum squaring error)
The BN_sqr implementation does not properly calculate the square of a
BIGNUM value, which might make it easier for remote attackers to defeat
cryptographic protection mechanisms via unspecified vectors, related to
crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.

Impact
======

A remote attacker is able to perform denial of service attacks,
downgrade the cipher (effectively removing forward secrecy) or bypass
certificate blacklists via various vectors.

References
==========

https://www.openssl.org/news/secadv_20150108.txt
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3571
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0206
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3572
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0205
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8275
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3570

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150109/aa48a9fa/attachment.asc>