[arch-security] [ASA-201609-23] openssl: multiple issues
anthraxx at archlinux.org
Mon Sep 26 20:15:39 UTC 2016
Arch Linux Security Advisory ASA-201609-23
Date : 2016-09-26
CVE-ID : CVE-2016-6304 CVE-2016-2178 CVE-2016-2177 CVE-2016-2183
CVE-2016-2182 CVE-2016-6303 CVE-2016-2179 CVE-2016-2180
CVE-2016-2181 CVE-2016-6302 CVE-2016-6306
Package : openssl
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package openssl before version 1.0.2.i-1 is vulnerable to multiple
issues including denial of service, private key recovery, information
disclosure and arbitrary code execution.
Upgrade to 1.0.2.i-1.
# pacman -Syu "openssl>=1.0.2.i-1"
The problems have been fixed upstream in version 1.0.2.i.
- CVE-2016-6304 (denial of service)
A malicious client can send an excessively large OCSP Status Request
extension. If that client continually requests renegotiation, sending a
large OCSP Status Request extension each time, then there will be
unbounded memory growth on the server. This will eventually lead to a
Denial Of Service attack through memory exhaustion. Servers with a
default configuration are vulnerable even if they do not support OCSP.
Builds using the "no-ocsp" build time option are not affected.
- CVE-2016-2178 (private key recovery)
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
- CVE-2016-2177 (denial of service)
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-
buffer boundary checks, which might allow remote attackers to cause a
denial of service (integer overflow and application crash) or possibly
have unspecified other impact by leveraging unexpected malloc behavior,
related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
- CVE-2016-2183 (information disclosure)
SWEET32 (https://sweet32.info) is an attack on older block cipher
algorithms that use a block size of 64 bits. In mitigation for the
SWEET32 attack DES based ciphersuites have been moved from the HIGH
cipherstring group to MEDIUM.
- CVE-2016-2182 (arbitrary code execution)
The function BN_bn2dec() does not check the return value of
BN_div_word(). This can cause an OOB write if an application uses this
function with an overly large BIGNUM. This could be a problem if an
overly large certificate or CRL is printed out from an untrusted
source. TLS is not affected because record limits will reject an
oversized certificate before it is parsed.
- CVE-2016-6303 (arbitrary code execution)
An overflow can occur in MDC2_Update() either if called directly or
through the EVP_DigestUpdate() function using MDC2. If an attacker is
able to supply very large amounts of input data after a previous call t
MVP_EncryptUpdate() with a partial block then a length check can
overflow resulting in a heap corruption.
The amount of data needed is comparable to SIZE_MAX which is
impractical on most platforms.
- CVE-2016-2179 (denial of service)
In a DTLS connection where handshake messages are delivered out-of-
order those messages that OpenSSL is not yet ready to process will be
buffered for later use. Under certain circumstances, a flaw in the
logic means that those messages do not get removed from the buffer even
though the handshake has been completed.
An attacker could force up to approx. 15 messages to remain in the
buffer when they are no longer required. These messages will be cleared
when the DTLS connection is closed. The default maximum size for a
message is 100k. Therefore the attacker could force an additional 1500k
to be consumed per connection. By opening many simultaneous
connections an attacker could cause a DoS attack through memory
- CVE-2016-2180 (denial of service)
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value
is the total length the OID text representation would use and not the
amount of data written. This will result in OOB reads when large OIDs
- CVE-2016-2181 (denial of service)
A flaw in the DTLS replay attack protection mechanism means that
records that arrive for future epochs update the replay protection
"window" before the MAC for the record has been validated. This could
be exploited by an attacker by sending a record for the next epoch
(which does not have to decrypt or have a valid MAC), with a very large
sequence number. This means that all subsequent legitimate packets are
dropped causing a denial of service for a specific DTLS connection.
- CVE-2016-6302 (denial of service)
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to
a DoS attack where a malformed ticket will result in an OOB read which
will ultimately crash.
The use of SHA512 in TLS session tickets is comparatively rare as it
requires a custom server callback and ticket lookup mechanism.
- CVE-2016-6306 (denial of service)
In OpenSSL 1.0.2 and earlier some missing message length checks can
result in OOB reads of up to 2 bytes beyond an allocated buffer. There
is a theoretical DoS risk but this has not been observed in practice on
The messages affected are client certificate, client certificate
request and server certificate. As a result the attack can only be
performed against a client or a server which enables client
A remote attacker is able to execute arbitrary code, recovery private
keys, disclose sensitive information or perform a denial of service
attack via various vectors.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security