Security-Announce archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2010-011: OpenSSL Double Free Arbitrary Code Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2010-011
                 =================================

Topic:          OpenSSL Double Free Arbitrary Code Execution


Version:        NetBSD-current:         source prior to August 11, 2010
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected
                pkgsrc:                 openssl package prior to 0.9.8onb1

Severity:       Denial of Service and potential arbitrary code execution

Fixed:          NetBSD-current:         August 12, 2010
                NetBSD-5-0 branch:      September 8, 2010
                NetBSD-5 branch:        September 8, 2010
                NetBSD-4-0 branch:      October 13, 2010
                NetBSD-4 branch:        October 13, 2010
                pkgsrc 2010Q3:          openssl-0.9.8onb1 corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

Client programs using the openssl library to open and process SSLv3 and TLSv1
connections may crash or execute arbitrary code if the server provides a
specially crafted SSL key that can inject arbitrary code.

This vulnerability has been assigned CVE-2010-2939.


Technical Details
=================

A failure to set the pointer to a freed buffer to NULL in the
ssl3_get_key_exchange() function in the OpenSSL client (ssl/s3_clnt.c)
when using ECDH, results in a double free which in turn allows
context-dependent attackers to cause a denial of service (crash)
and possibly execute arbitrary code via a crafted private key with
an invalid prime.


Solutions and Workarounds
=========================

- - Patch, recompile, and reinstall libssl.

  CVS branch    file                                                    revision
  ------------- ----------------                                        --------
  HEAD          src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c      1.2

  CVS branch    file                                            revision
  ------------- ----------------                                --------
  netbsd-5-0    src/crypto/dist/openssl/ssl/s3_clnt.c           1.12.4.1.2.1

  netbsd-5      src/crypto/dist/openssl/ssl/s3_clnt.c           1.12.4.2

  netbsd-4-0    src/crypto/dist/openssl/ssl/s3_clnt.c           1.9.4.1.2.2

  netbsd-4      src/crypto/dist/openssl/ssl/s3_clnt.c           1.9.4.3


The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  FILES    with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libc and sftp:

* NetBSD-current:

        # cd src
        # cvs update -d -P -r BRANCH crypto/external/bsd/openssl/dist/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../crypto/external/bsd/openssl/lib/libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

* NetBSD 5.*/4.*:

        # cd src
        # cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

   http://www.netbsd.org/guide/en/chap-build.html


Thanks To
=========

Thanks to Georgi Guninski for discovering the problem and Mounir
IDRASSI for providing the fix.  Thanks also to Matthias Drochner
for providing the necessary patches for NetBSD HEAD and netbsd-5
as well as information on the impact of the vulnerability, and
Christos Zoulas for providing the patch to netbsd-4.


Revision History
================

        2010-10-28      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-011.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-011.txt,v 1.1 2010/10/27 21:41:46 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJMyJ8dAAoJEAZJc6xMSnBuX+AQAM4AsQlkFXUusYpbU0j9Hcc4
+s4wGSHRrlF02xydKRWdryLEIb3p9yOz9GkMVXDokUDGuarKyfY7yJt6LNWWNRYh
qR80CLQ7Mi+2XotZLMcDBldcS2ZOm09ZWH1JLzYDGZEJMNhyNdfI+Tg1EtIABoqF
F6jWn3eM2Vdn9q52GgiCz+Uo8DSEJxglppc5yR2q9UMtJCnQdPA4Ccc/2uKtyvEv
2d8MYXiSc7aYkvs5uw0iOY4Kqrhm77Bpi50jb5xm7Zcf9ANA/s3EpY+VkDQIOoaU
7kTm7o/fUlxMbb2PDD2xDLHY43Ecjc1bC4DlnQW87GsbBddB5Wh5gn/jjT2+XYxg
xkhP400O04YgM8MrxGEflJH+nAY/wZZkmkQSoxqW0JXr9rNH8ZqeKXR7BeCzOw2Z
6Yxh9f3xLApdbl1k70eYMM4dH6QlmRFIV82KJhgCCeBqKcPqFVBiBwfQkBtM7mEt
frpetXsrXATPS5nJTcOchHhL+muBFEnY7Ek0998X0Hxm0mL5q/NsdyV3+USUwL6n
8p63d8gA+nWk0AX7TqB0iRyQhiMqne00o3SeeVMa8w+5sXqC9pVXg80qXZQa5WR5
1od7Cf3F+daKwZ/xHYuaTclWNtFTxjARg5MJ9561QHBQpe5TTwweNBcYwdPRLBDm
hCi3yQ36ozvzS+xUy4Bc
=Ur1p
-----END PGP SIGNATURE-----
Home | Main Index | Thread Index | Old Index