[NetBSD] Schwachstelle in der OpenSSL TLS Extension – NetBSD-SA2010-012

[NetBSD] Schwachstelle in der OpenSSL TLS Extension - NetBSD-SA2010-012

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des NetBSD Security Officers.
Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2010-3864 – Heap Overflow in OpenSSL

Der TLS Code von OpenSSL behandelt benutzerkontrollierte Daten nicht
richtig. Auf einem OpenSSL basierten TLS Server, der multi-threaded
arbeitet und internes Caching anbietet, kann durch eine Race Condition
ein Heap Overflow bei der Verarbeitung von TLS Server Name Extensions
sowie bei Elliptischen Kurven ausgeloest werden. Ein entfernter
Angreifer kann diese Schwachstelle ausnutzen um den Server zum Absturz
oder schlimmstenfalls beliebige Befehle mit dessen Rechten zur
Ausfuehrung zu bringen. Hinweis: OpenSSL 0.9.8f bis 0.9.8o, 1.0.0, und
1.0.0a sind betroffen, Multi-Prozess Server oder solche ohne internes
Caching (wie der Apache HTTP Server oder Stunnel) sind nicht betroffen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket openssl

NetBSD-current (vor 18.11.2010)
NetBSD 5.0.*
NetBSD 5.0
NetBSD 5.1

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Tilmann Haak

– —
Dipl.-Inform. Tilmann Haak (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen: https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

NetBSD Security Advisory 2010-012
=================================

Topic: OpenSSL TLS extension parsing race condition.

Version: NetBSD-current: source prior to November 18, 2010
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 5.1: affected
NetBSD 4.0.*: not affected
NetBSD 4.0: not affected
pkgsrc: openssl package prior to 0.9.8p

Severity: Denial of Service and potential arbitrary code execution

Fixed: NetBSD-current: November 17, 2010
NetBSD-5-0 branch: November 19, 2010
NetBSD-5-1 branch: November 19, 2010
NetBSD-5 branch: November 19, 2010
pkgsrc 2010Q3: openssl-0.9.8p corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.

Abstract
========

A flaw has been found in the OpenSSL TLS server extension code parsing which
on affected servers can be exploited in a buffer overrun attack.
This flaw impacts neither the Apache HTTP server nor any daemon as shipped
with NetBSD.

This vulnerability has been assigned CVE-2010-3864.

Technical Details
=================

Multiple race conditions in ssl/t1_lib.c in OpenSSL, when multi-threading
and internal caching are enabled on a TLS server, might allow remote
attackers to execute arbitrary code via client data that triggers a
heap-based buffer overflow, related to (1) the TLS server name extension
and (2) elliptic curve cryptography. A binary that does not link both
against libssl and a threading library like eg libpthread is unlikely
to be affected.
See http://www.openssl.org/news/secadv_20101116.txt for the vulnerability
announcement from OpenSSL.

Solutions and Workarounds
=========================

– – – Patch, recompile, and reinstall libssl.

CVS branch file revision
————- —————- ——–
HEAD src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c 1.2

CVS branch file revision
————- —————- ——–
netbsd-5-1 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.12.1

netbsd-5-0 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.8.1

netbsd-5 src/crypto/dist/openssl/ssl/t1_lib.c 1.2.4.1

The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:

BRANCH with the appropriate CVS branch (from the above table)
FILES with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libc and sftp:

* NetBSD-current:

# cd src
# cvs update -d -P -A crypto/external/bsd/openssl/dist/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../crypto/external/bsd/openssl/lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 5.*:

# cd src
# cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

http://www.netbsd.org/guide/en/chap-build.html

Thanks To
=========

Thanks to Rob Hulswit for discovering the problem and Dr Stephen Henson
for providing the fix.

Revision History
================

2010-11-29 Initial release

More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .

Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-012.txt,v 1.1 2010/11/28 14:23:19 tonnerre Exp $

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJM8mX5AAoJEAZJc6xMSnBu1ZQQAI8P8gztP5S0nct//GzE8YTE
mwFB0kGqq7rIgv9iChIy6oqtziu2FG8NwYIOiQl0RkAIY3gM8aB+wpgAhgqdzzx+
8oQ8DPqQn+tbJl64oPAMQ1Ce0tvnuOtmcKBb61ggjI8jfA5wzL5WY+hl+jVJiQ4H
8SqrrkcNbq2IDFJNFzgteq8UmMb610wiFdZqp7HSfEER36da/lXD8Y+nueoW68Ck
NDAe8RxNqiglv71eMZ/7C+ZcZFSm/jooCC6GUK2ll10qx8uAVtiXxhaaT6//1JZX
JU4dHLoETi+SRMkUqaxb4E63DsBTHnwMhD44tpDswnKsNyPv+NwefIDJbYzPTQFg
CThH31PP/0DT1BbnmSao5+ghish9f4Rvk8uHt92JTlMLRWVjo9ApZnB6lxez/WK1
JIohxWytnKLtdvBh9iWT2cVAAQIbPSWrlQV9vpk7thEtZ6GVkc8h6WkwjhW3vEyS
R3mn9BUak3EjiFWLwNuQWEY+ID4dtNJvEwv7S0wIUxz8wB9M0RvxXEhYH5M3vRUv
ieL399QknRh3lkuu53MULj8SL24upjiLAV8pbdT9W4zX6Ci3bKLjc03stJt6x4IA
02jCmdAv5OniDLggF8FTuKLIEqZu+TkmVkOfzGglTFzHHCd+UIgzy1okvJrxN1wr
zV7L32PZRfpiwu9rngFS
=aB+B
– —–END PGP SIGNATURE—–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkz1ARQACgkQWmhIvjFb90VRSgCaAnLNFGMRQemqHyogrZoDASk9
WmMAnjm5qMEqFWCqpUVJiXmiogMAj0TZ
=96qW
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben