Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-002: OpenSSL TLS extension parsing race condition



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2011-002
                 =================================

Topic:          OpenSSL TLS extension parsing race condition.


Version:        NetBSD-current:         source prior to February 11, 2011
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 5.1:             affected
                NetBSD 4.0.*:           not affected
                NetBSD 4.0:             not affected
                pkgsrc:                 openssl package prior to 0.9.8qnb1

Severity:       Denial of Service and potential Information Disclosure

Fixed:          NetBSD-current:         February 11, 2011
                NetBSD-5-0 branch:      February 17, 2011
                NetBSD-5-1 branch:      February 17, 2011
                NetBSD-5 branch:        February 17, 2011
                pkgsrc 2010Q4:          openssl-0.9.8qnb1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message.

Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".

This vulnerability has been assigned CVE-2011-0014.


Technical Details
=================

Incorrectly formatted ClientHello handshake messages could cause OpenSSL
to parse past the end of the message. An attacker may be able to cause
a crash (denial of service) by triggering invalid memory accesses.

The results of the parse are only available to the application using
OpenSSL so do not directly cause an information leak. However, some
applications may expose the contents of parsed OCSP extensions,
specifically an OCSP nonce extension. An attacker could use this to read
the contents of memory following the ClientHello.

See http://www.openssl.org/news/secadv_20110208.txt for the vulnerability
announcement from OpenSSL.


Solutions and Workarounds
=========================

- - Patch, recompile, and reinstall libssl.

  CVS branch    file                                                    revision
  ------------- ----------------                                        --------
  HEAD          src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c       1.4

  CVS branch    file                                            revision
  ------------- ----------------                                --------
  netbsd-5-1    src/crypto/dist/openssl/ssl/t1_lib.c            1.2.12.3

  netbsd-5-0    src/crypto/dist/openssl/ssl/t1_lib.c            1.2.8.3

  netbsd-5      src/crypto/dist/openssl/ssl/t1_lib.c            1.2.4.3


The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  FILES    with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libc and sftp:

* NetBSD-current:

        # cd src
        # cvs update -d -P -A crypto/external/bsd/openssl/dist/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../crypto/external/bsd/openssl/lib/libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

* NetBSD 5.*:

        # cd src
        # cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

   http://www.netbsd.org/guide/en/chap-build.html


Thanks To
=========

Thanks to Neel Mehta (Google) for discovering the problem and
Adam Langley and Bodo Moeller (Google) for providing the fix.


Revision History
================

        2011-03-08      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-002.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-002.txt,v 1.1 2011/03/08 01:36:24 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJNdYhcAAoJEAZJc6xMSnButaEQALUOV70xn1FWvE6t82fpiEjn
1AUuK7khEjpazxDmrsr4XQ39XgmuKV3Sgr1vYnn3x0GVWpUNIZA6OIRP49TIwPAV
tqFyP6G9HONtdam2MwEmv8Mg0OuK+M3AUrys3wv/YXecnpoju5bVzTrYs3L0X4SH
qnlZDoUWCX4yXXCgowtSUEQdhyNc0SDb7m6aKASAwyNRRDROCXAkuWRkNROnFCX5
Vnkpjqkq1ihLnYW16mo0T/TxBF2MmNl9HIwo1DBKGeoizsj8HdY7cFJ3ztf2wYH0
ZuSFq7iFyuDjvdA2AjnBQVz7O5SmeQLfsXCLoMoO60punExQMUoLy9mRPIuPo7b4
6p3OnV62GYI4iPuOjsob1R42nq7i93CMsKD0E//8Q3lhFuRyUkATVjgMU+u0ftOc
80sOAln2Am6pP0NzauU7iFFHZ80FhObBlvdiFev6UymdHSiM7ISfRBhcfcCnIrXy
rpL1miPULcToy6hdvpvwPmSkgSBzt0UAx64ZfM5jGu3GHDDdsI+B5BjLudtDhvjP
kK2W1gx5v1PQWoi/wgfxT6WGbBq6Moh7clkMlzZ3NBdu/T/lRabeqDzpcuDBfRIE
xLuwRwu+Jx/AUnEIa8wQMKQpDI9tKyJU1zCKr4ZitEKtkkCmUV5dRtJQp1Mps3Ud
rvNTRBXAtiCpBNPJpryg
=WMth
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index