[NetBSD] Schwachstelle in OpenSSL – NetBSD-SA2010-011

[NetBSD] Schwachstelle in OpenSSL - NetBSD-SA2010-011

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des NetBSD Security Officers.
Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2010-2939 – Schwachstelle im OpenSSL Client

Bei Verschluesselung mit elliptischen Kurven (ECDH) in OpenSSL werden
fehlerhafte Zertifikate nicht richtig behandelt. Wird ein Zertifikat mit
zugehoerigem privaten Schluessel der aus einer Nicht-Primzahl generiert
wurde ausgewaehlt, loest die Funktion ssl3_get_key_exchange()
(aus:ssl/s3_clnt.c) des OpenSSL Client einen Double-free Fehler aus. Ein
entfernter Angreifer kann diese Schwachstelle ausnutzen, um die
Anwendung zum Absturz (Denial-of-Service) oder schlimmstenfalls
beliebige Befehle zur Ausfuehrung zu bringen.

Betroffen sind die folgenden Software Pakete und Plattformen:

openssl vor Version 0.9.8onb1

NetBSD-current
NetBSD-5-0
NetBSD-5
NetBSD-4-0
NetBSD-4
NetBSD Releases vor 4.0 werden nicht mehr unterstuetzt.

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

NetBSD Security Advisory 2010-011
=================================

Topic: OpenSSL Double Free Arbitrary Code Execution

Version: NetBSD-current: source prior to August 11, 2010
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: openssl package prior to 0.9.8onb1

Severity: Denial of Service and potential arbitrary code execution

Fixed: NetBSD-current: August 12, 2010
NetBSD-5-0 branch: September 8, 2010
NetBSD-5 branch: September 8, 2010
NetBSD-4-0 branch: October 13, 2010
NetBSD-4 branch: October 13, 2010
pkgsrc 2010Q3: openssl-0.9.8onb1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

Client programs using the openssl library to open and process SSLv3 and TLSv1
connections may crash or execute arbitrary code if the server provides a
specially crafted SSL key that can inject arbitrary code.

This vulnerability has been assigned CVE-2010-2939.

Technical Details
=================

A failure to set the pointer to a freed buffer to NULL in the
ssl3_get_key_exchange() function in the OpenSSL client (ssl/s3_clnt.c)
when using ECDH, results in a double free which in turn allows
context-dependent attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted private key with
an invalid prime.

Solutions and Workarounds
=========================

– – – Patch, recompile, and reinstall libssl.

CVS branch file revision
————- —————- ——–
HEAD src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c 1.2

CVS branch file revision
————- —————- ——–
netbsd-5-0 src/crypto/dist/openssl/ssl/s3_clnt.c 1.12.4.1.2.1

netbsd-5 src/crypto/dist/openssl/ssl/s3_clnt.c 1.12.4.2

netbsd-4-0 src/crypto/dist/openssl/ssl/s3_clnt.c 1.9.4.1.2.2

netbsd-4 src/crypto/dist/openssl/ssl/s3_clnt.c 1.9.4.3

The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:

BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libc and sftp:

* NetBSD-current:

# cd src
# cvs update -d -P -r BRANCH crypto/external/bsd/openssl/dist/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../crypto/external/bsd/openssl/lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 5.*/4.*:

# cd src
# cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

http://www.netbsd.org/guide/en/chap-build.html

Thanks To
=========

Thanks to Georgi Guninski for discovering the problem and Mounir
IDRASSI for providing the fix. Thanks also to Matthias Drochner
for providing the necessary patches for NetBSD HEAD and netbsd-5
as well as information on the impact of the vulnerability, and
Christos Zoulas for providing the patch to netbsd-4.

Revision History
================

2010-10-28 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-011.txt,v 1.1 2010/10/27 21:41:46 tonnerre Exp $

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJMyJ8dAAoJEAZJc6xMSnBuX+AQAM4AsQlkFXUusYpbU0j9Hcc4
+s4wGSHRrlF02xydKRWdryLEIb3p9yOz9GkMVXDokUDGuarKyfY7yJt6LNWWNRYh
qR80CLQ7Mi+2XotZLMcDBldcS2ZOm09ZWH1JLzYDGZEJMNhyNdfI+Tg1EtIABoqF
F6jWn3eM2Vdn9q52GgiCz+Uo8DSEJxglppc5yR2q9UMtJCnQdPA4Ccc/2uKtyvEv
2d8MYXiSc7aYkvs5uw0iOY4Kqrhm77Bpi50jb5xm7Zcf9ANA/s3EpY+VkDQIOoaU
7kTm7o/fUlxMbb2PDD2xDLHY43Ecjc1bC4DlnQW87GsbBddB5Wh5gn/jjT2+XYxg
xkhP400O04YgM8MrxGEflJH+nAY/wZZkmkQSoxqW0JXr9rNH8ZqeKXR7BeCzOw2Z
6Yxh9f3xLApdbl1k70eYMM4dH6QlmRFIV82KJhgCCeBqKcPqFVBiBwfQkBtM7mEt
frpetXsrXATPS5nJTcOchHhL+muBFEnY7Ek0998X0Hxm0mL5q/NsdyV3+USUwL6n
8p63d8gA+nWk0AX7TqB0iRyQhiMqne00o3SeeVMa8w+5sXqC9pVXg80qXZQa5WR5
1od7Cf3F+daKwZ/xHYuaTclWNtFTxjARg5MJ9561QHBQpe5TTwweNBcYwdPRLBDm
hCi3yQ36ozvzS+xUy4Bc
=Ur1p
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkzJeXYACgkQWmhIvjFb90VEQwCfesRiKrvAyAPI93NSfvONOn9J
NoQAn02MTlnTZNA53H6iiW6wb73vhA96
=x16K
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben