—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Sun Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:
Mit diesem Update gibt Sun die betroffenen Versionen von OpenSolaris
bekannt.
CVE-2009-3555 – Designschwaeche im SSLv3/TSLv1 Protokoll bei der
Renegotiation
Bei der Neuaushandlung von Parametern in einer SSL oder TLS Session
(Renegotiation) wird das Client Zertifikat geprueft. Allerdings ist es
aufgrund einer Schwachstelle im TLS-Protokoll unter Umstaenden moeglich,
dass vorher beliebige Daten in die TLS-Session eingeschleust werden. Dies
ermoeglicht Man-in-the-Middle Angriffe auf die TLS-Session. Beim HTTPS
Protokoll kann ein Angreifer so den HTTP-Request des Benutzers faelschen.
Dies kann ein Angreifer dazu ausnutzen, um an vertrauliche Daten zu
gelangen, Operationen mit den Rechten des Benutzers auf dem Server
auszufuehren, dem Benutzer falsche Informationen anzuzeigen.
Bitte beachten Sie: Es handelt sich um eine Schwaeche im SSL bzw. TLS
Protokoll selbst, die derzeit nicht vollstaendig behebbar ist. Das
FreeBSD bzw. OpenSSL Team deaktivieren als Workaround die
Regnegotiation, was im Einzelfall negative Auswirkungen auf die
Funktionsfaehigkeit der geschuetzten Anwendung haben kann.
Diese Schwachstelle wird bereits aktiv von Angreifern ausgenutzt.
Betroffen sind die folgenden Software Pakete und Plattformen:
OpenSSL
SPARC Plattform
* Solaris 10 ohne Interim Fix IDR141981-01
* OpenSolaris vor Build snv_129
x86 Plattform
* Solaris 10 ohne Interim Fix IDR141982-01
* OpenSolaris vor Build snv_129
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT
– —
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
17. DFN Workshop “Sicherheit in vernetzten Systemen” 09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html
Alert URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1
Sun Security Alert: 273029
Security Vulnerability in the Transport Layer Security (TLS) and Secure
Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation
Affects OpenSSL
__________________________________________________________________
Category : Security
Release Phase : Workaround
Bug Id : 6898546, 6898539
Product : Solaris 10 Operating System
OpenSolaris
Date of Workaround Release : 19-Nov-2009
Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets
Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects OpenSSL
1. Impact
A security vulnerability in the Transport Layer Security (TLS) and
Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session
renegotiations affects OpenSSL (see openssl(5)). This issue may allow a
remote unauthenticated user with the ability to intercept and control
network traffic to perform man-in-the-middle (MITM) attack to inject
arbitrary plaintext at the beginning of the application protocol
stream, thus compromising the integrity of the communication. This
vulnerability does not allow one to decrypt the intercepted network
communication.
The exact nature of the impact of compromised data integrity depends on
the application making use of the OpenSSL libraries.
Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of
PhoneFactor for bringing this issue to our attention.
This issue is also referenced in the following documents:
CVE-2009-3555 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
US-CERT VU#120541 at http://www.kb.cert.org/vuls/id/120541
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 10
* OpenSolaris based upon builds snv_01 through snv_128
x86 Platform
* Solaris 10
* OpenSolaris based upon builds snv_01 through snv_128
Notes:
1. Solaris 8 is not impacted by this issue.
2. Solaris 9 does not ship with OpenSSL libraries which can be used for
application linking and is thus not impacted by this issue.
OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived. The base build can be
derived as follows:
$ uname -v
snv_101
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has occurred.
4. Workaround
Solaris Kernel SSL proxy module, KSSL (see ksslcfg(1M)) does not
support client renegotiation or rehandshake. Server applications which
use the KSSL module are not affected by this issue. KSSL may be used to
workaround the described issue in such applications.
The following Interim Security Relief (ISRs) is available from
http://sunsolve.sun.com/tpatches for the following release:
SPARC Platform
* Solaris 10 IDR141981-01
x86 Platform
* Solaris 10 IDR141982-01
IMPORTANT: These ISRs disable TLS session renegotiation. This may
affect applications which depend on renegotiation. It is advisable to
test these ISRs with applications that use OpenSSL libraries, before
deploying them for wider use.
Note: This document refers to one or more Interim Security Relief
(ISRs) which are designed to address the concerns identified herein.
Sun has limited experience with these (ISRs) due to their interim
nature. As such, you should only install the ISRs on systems meeting
the configurations described above. Sun may release full patches at a
later date, however, Sun is under no obligation whatsoever to create,
release, or distribute any such patch.
5. Resolution
This issue is addressed for applications that do not depend on TLS
session renegotiations in the following releases:
SPARC Platform
* OpenSolaris based upon builds snv_129 or later
x86 Platform
* OpenSolaris based upon builds snv_129 or later
Note: A final resolution is pending completion for Solaris 10 and
OpenSolaris. Sun is working to fix the TLS implementations according to
the TLS protocol standard extensions currently being developed.
For more information on Security Sun Alerts, see Technical Instruction
ID 213557.
This Sun Alert notification is being provided to you on an “AS IS”
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
Modification History
03-Dec-2009: Updated Contributing Factors and Resolution sections for OpenSolar
is
Attachments
This solution has no attachment
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFLHRH1k0kIxZMiiQ8RAiEAAJ99IrmlK56gj3e2cqp11jZu3e6D4ACgxXGZ
CJrthI63Sf0+gPeV5W2zdYM=
=ZdDD
—–END PGP SIGNATURE—–
