Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2010-002: OpenSSL TLS renegotiation man in the middle vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-002
=================================
Topic: OpenSSL TLS renegotiation man in the middle vulnerability
Version: NetBSD-current: affected prior to 2009-12-04
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: openssl package prior to x.y.z
Severity: Information disclosure
Fixed: NetBSD-current: Dec 03, 2009
NetBSD-5-0 branch: Jan 12, 2010
NetBSD-5 branch: Jan 12, 2010
NetBSD-4-0 branch: Jan 12, 2010
NetBSD-4 branch: Jan 12, 2010
pkgsrc 2009Q4: openssl-0.9.8l corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An error in the OpenSSL TLS session renegotiation allows a remote
attacker to intercept communication and conduct a Man-in-the-Middle
attack on TLS sessions.
This vulnerability has been assigned CVE-2009-3555 and CERT
Vulnerability Note VU#120541.
Technical Details
=================
A design problem exists in the renegotiation feature for TLS sessions as
implemented by the version of OpenSSL shipped with NetBSD. As session
renegotiation handshakes are not properly associated with an existing
connection, an unauthenticated attacker can initiate a renegotiation in
order to allow a man-in-the-middle attack, which may allow the attacker
to inject plaintext into the communication.
Solutions and Workarounds
=========================
The solution to this problem is to disable TLS session renegotiation for
now by applying the provided patches or updating NetBSD to a version
including the fix.
The following instructions describe how to upgrade your OpenSSL
binaries by updating your source tree and rebuilding and installing
a new version of OpenSSL.
* NetBSD-current:
Systems running NetBSD-current dated from before 2009-12-04
should be upgraded to NetBSD-current dated 2009-12-04 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/external/bsd/openssl/dist/ssl/s3_lib.c
crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P crypto/external/bsd/openssl/dist/ssl
# cd crypto/external/bsd/openssl/lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*:
Systems running NetBSD 5.* sources dated from before
2010-01-12 09:30 UTC should be upgraded from NetBSD 5.* sources
dated 2010-01-12 09:30 UTC or later.
The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
crypto/dist/openssl/ssl/s3_lib.c
crypto/dist/openssl/ssl/s3_pkt.c
crypto/dist/openssl/ssl/s3_srvr.c
crypto/dist/openssl/ssl/ssl_locl.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl/ssl
# cd lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2010-01-12 09:30 UTC should be upgraded from NetBSD 4.* sources
dated 2010-01-12 09:30 UTC or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
crypto/dist/openssl/ssl/s3_lib.c
crypto/dist/openssl/ssl/s3_pkt.c
crypto/dist/openssl/ssl/s3_srvr.c
crypto/dist/openssl/ssl/ssl_locl.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl/ssl
# cd lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Marsh Ray, PhoneFactor and Martin Rex for discovering and reporting the issue,
and Christos Zoulas for fixing it.
Revision History
================
2010-01-12 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-002.txt,v 1.1 2010/01/12 20:04:35 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJLTNY/AAoJEAZJc6xMSnBuKTIP/jYAD8Yy6haGgbiP4G1WOQnr
qeV3e3nvJp5lDp25aelf1oyG2yQDqeDIMoZqSkfNohC7SP+v6QsX3io8wWbOEKwd
CEHsewLd9UIqwevV86mt+NPomsnhRORpx+K3V0ImSUXeQ2wqq7w/hV8h5jLw0QCo
fzL/WvdJEY8+cElU7ypSL1EYk5VDNljy9d/Oc0fMXIjruu8Dc2UQW3FpoMVL19B8
xfvydhbkDq9PevG3V1RsN0As3VKkJZEG3iqx/PsC22MDCaNBAjVG8qcZAW9Y32Ph
szmp/vp27Dsrjs4nDfGU3HlT32b1CtpoMIOFUNomMq+qqR1xKGAqS0MPG3UP0AWx
pfYi0QeFWi3QStswiL3UENXDh4A9PUQFCv1vjy4MBrPe2DDvh0HiuFPqWDFSGQBm
qYnmDItFP1LJ4pmfHUo82lNL1hwAQffbzPkjHXvNiWNfMjS3yYNrXKayv+Is+EeN
l/cJFecKFFMWRpwdt1roCknDtO/nevjABqPOW40geLogAazPXtHMMkU2zsQZ0JOS
6q4nuKW/kCGPDq1IUQNQff7vqxPduBrUnpVi/+09Lic/phLZR23epE9P6lMBuBbB
zTZ1YaZGYYmXPv3a0veVsHpFhzPpLSATxg4I68YgEYUFD3R6rCqKPnLeB5zjrpZE
QgMnO+nhwGMu0FfnvNPm
=r1Fe
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index