Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0195 -- [Appliance]
Nortel Response to OpenSSL 'EVP_VerifyFinal' Function
Signature Verification Vulnerability
3 March 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: Nortel
Operating System: Network Appliance
Impact: Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2008-5077
Ref: AA-2009.0029
ESB-2009.0009
ESB-2009.0017
ESB-2009.0020
ESB-2009.0038
ESB-2009.0110
Original Bulletin:
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653
- --------------------------BEGIN INCLUDED TEXT--------------------
Nortel Response to OpenSSL 'EVP_VerifyFinal' Function Signature Verification
Vulnerability
BULLETIN ID: 2009009350, Rev 1
PUBLISHED: 2009-02-26
STATUS: Active
REGION: All
PRIORITY: Critical
TYPE: Security Advisory
Source:
1. OpenSSL 07-Jan-2009 -
http://www.openssl.org/news/secadv_20090107.txt
2. CVE-2008-5077 -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
3. Secunia SA33338 - http://secunia.com/advisories/33338/
Overview:
A vulnerability has been reported in OpenSSL, which can be exploited by
malicious people to conduct spoofing attacks. Some Nortel products contain
this software as a component and thus are potentially affected. This bulletin
provides a multi-product consolidated response for the Nortel products which
are potentially affected.
The vulnerability is caused due to certain OpenSSL functions not correctly
verifying the return value of the "EVP_VerifyFinal()" function when validating
the signature of DSA and ECDSA keys. This can be exploited to bypass the
signature check, such as by sending a specially crafted signature of a
certificate chain to a client. Successful exploitation requires that the
server uses a certificate containing a DSA or ECDSA key.
Please refer to the vendor link for additional information -
http://www.openssl.org/news/secadv_20090107.txt
This bulletin addresses the following CVE:
- - CVE-2008-5077 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077)
OpenSSL 0.9.8i and earlier does not properly check the return value from the
EVP_VerifyFinal function, which allows remote attackers to bypass validation
of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA
keys.
Before taking any action please ensure that you are viewing the latest
official version of this security advisory by referencing
http://www.nortel.com/securityadvisories
Symptoms:
Please refer to the links provided in the Source section for additional
information about the vulnerabilities addressed and the vendor fix. Please
refer to the Resolution section for Nortel-specific recommendations.
Prevention:
Please refer to the links provided in the Source section for additional
information about the vulnerabilities addressed and the vendor fix. Please
refer to the Resolution section for Nortel-specific recommendations.
Mitigation:
Please refer to the links provided in the Source section for additional
information about the vulnerabilities addressed and the vendor fix. Please
refer to the Resolution section for Nortel-specific recommendations.
Risk:
Please refer to the links provided in the Overview section for additional
information about the vulnerabilities addressed and the vendor fix. Please
refer to the Resolution section for Nortel-specific recommendations.
Resolution:
1. The following products are potentially vulnerable to this issue in that,
while there is no direct dependency with the Nortel product, the affected
component is incorporated. Please refer to product-specific text below for
instructions on how to proceed.
3rd-Party - Sun Platform-OAME
Carrier VoIP - MG 9000
. The risk is low because: a) We do not see DSA/ECDSA used in our system.
b) It's hard to attack by this way (it requires the specially crafted
certificates and to inject it into the system, root permission is required).
Nortel does not recommend applying a fix at this time.
Self-Service - Media Processing Svr 500, Media Processing Svr 1000, Peri
Application
. The following patches are under development and will be released as soon as
possible:
- - PERIdist, dist2.0.0.55 (Windows only - prerequisite for both vxml and htmls)
- - PERIvxml, vxml2.3.0.61 (Solaris and Windows)
- - htmls2.0.0.19 (Solaris and Windows)
- - SUN vendor ssl patch for Solaris 10
The following patch is under test and will be released shortly:
- - openssh for Solaris 8 only (NPopenSSH version 5.1.p1)
Please request released patches through the normal channel for installation.
Switched Firewall - 5300 (SFA-AD3), 5400 (SFA-AD4), 5600 (SFA-184), 5700
(SFA-185), SF-5014, SFA-6400, SFA-6600
. Fix is planned for release 4.2.5 due in June 2009.
VPN Gateway - 3050, 3070
VPN Router - SSL VPN Module 1000
. The security exposure of a successful attack is high because confidential
information is subject to exposure to the attacker. The risk of a successful
implementation of the exploit is low due to the logistical difficulty in
setting up an attack.
The following actions mitigate or address this vulnerability:
1. Security measures that prevent a potential attacker from modifying
configuration in the VPN Gateway and intranet DNS servers.
2. Use of RSA key rather than DSA and ECDSA keys.
3. Upgrade VPN Gateway software to release V7.0.7.1 or V7.1.3
Release V7.0.7.1 is available by contacting Nortel customer support. Release
V7.1.3 will be generally available in April 2009.
2. The following products are not vulnerable to this security issue. Please
review the list below to see any additional product-specific comments.
ENSM - IP Address Manager
3. The following Nortel Generally Available products have not completed
investigation to determine their vulnerability to the security issues. It is
not recommended to apply the fix until Nortel's investigation is complete.
This bulletin will be reissued if Nortel's investigation results in any change
to this recommendation.
Carrier VoIP - IAD 1104S
CDMA - W-NMS-CNM, HA, PDSN FA
DMS - PSP-Switching
ENSM - IP Address Manager
Enterprise VoIP - TM-CS1000, CS 1000M Chassis/Cabinet, CS 1000S
Ethernet Rtng Switch 8661
Meridian Core - Option 11C - Cabinet, Option 11C - Chassis, Option 51C,
Option 61C, Option 81C
Meridian SL100 - CS 2100, CS 2100-Compact
Multimedia Comm. - MCS5100, MCS5200
Multiservice Switch - MDM
Services Edge Router - SER Bootrom, iSOS
SSL Accelerator - SSL Acc 100, SSL Acc 310, SSL Acc 310 FIPS, SSL Acc 410
Switched Firewall - 5400 (SFA-AD4), ASF-5024, ASF-5105, ASF-5112, ASF-5130,
SF-5106, SF-5109, SF-5114, SF/VPN 5124
Threat Protection - TPS 2050IS, TPS 2070DC, TPS 2070IS, TPS 2150IS, TPS 2170IS,
TPS 2050TI, TPS 2070TI
USP - BB-STP, Signalling Gateway Blade
VPN Router - 221, 251, 1010, 1050, 1100, 1700, 1740, 1750, 2700, 5000
VPN Router - Contivity 2600, Contivity 4500, Contivity 4600
WiMAX - NMS 5100 Core Manager
For more information from Nortel:
Please contact your next level of support or visit
http://www.nortel.com/contact for support numbers within your region.
Nortel security advisories: http://www.nortel.com/securityadvisories
Nortel Partner Information Center (PIC) website: http://www.nortel.com/pic
Attachments:
There are no attachments for this bulletin
Products and Releases:
The information in this bulletin is intended to be used with the following
products and associated releases:
PRODUCT RELEASE
3rd Party-Sun-Sun Platform-OAME
CDMA-Packet Core-HA
CDMA-Packet Core-PDSN FA
CDMA-Network Management-W-NMS-CNM
Carrier VoIP-IAD-IAD 1104S
Carrier VoIP-Media Gateways-MG 9000
DMS-Network Management-PSP-Switching
ENSM-IP Address Manager-IP Address Manager
Enterprise VoIP-Core-CS 1000M Chassis/Cabinet
Enterprise VoIP-Core-CS 1000S
Enterprise VoIP-Applications-TM-CS1000
Ethernet Rtng Switch-Ethrnt Rtng Swt 8600-Ethernet Rtng Switch 8661
Meridian-SL100-CS 2100
Meridian-SL100-CS 2100-Compact
Meridian-Core-Option 11C - Cabinet
Meridian-Core-Option 11C - Chassis
Meridian-Core-Option 51C
Meridian-Core-Option 61C
Meridian-Core-Option 81C
Multimedia Comm.-MCS5100-MCS5100
Multimedia Comm.-MCS5200-MCS5200
Multiservice Switch-Network Management-MDM
SSL Accelerator-SSL Accelerator-SSL Acc 100
SSL Accelerator-SSL Accelerator-SSL Acc 310
SSL Accelerator-SSL Accelerator-SSL Acc 310 FIPS
SSL Accelerator-SSL Accelerator-SSL Acc 410
Self-Service-Media Processing Svr-Media Processing Svr 1000
Self-Service-Media Processing Svr-Media Processing Svr 500
Self-Service-Self-Service-Peri Application
Services Edge Router-5500-SER Bootrom
Services Edge Router-5500-iSOS
Switched Firewall-Switched Firewall-5300 (SFA-AD3)
Switched Firewall-Switched Firewall-5400 (SFA-AD4)
Switched Firewall-Switched Firewall-5600 (SFA-184)
Switched Firewall-Switched Firewall-5700 (SFA-185)
Switched Firewall-Switched Firewall-ASF-5024
Switched Firewall-Switched Firewall-ASF-5105
Switched Firewall-Switched Firewall-ASF-5112
Switched Firewall-Switched Firewall-ASF-5130
Switched Firewall-Switched Firewall-SF-5014
Switched Firewall-Switched Firewall-SF-5106
Switched Firewall-Switched Firewall-SF-5109
Switched Firewall-Switched Firewall-SF-5114
Switched Firewall-Switched Firewall-SF/VPN 5124
Switched Firewall-Switched Firewall-SFA-6400
Switched Firewall-Switched Firewall-SFA-6600
Threat Protection-TPS 2000-TPS 2050IS
Threat Protection-TPS 2000-TPS 2050TI
Threat Protection-TPS 2000-TPS 2070DC
Threat Protection-TPS 2000-TPS 2070IS
Threat Protection-TPS 2000-TPS 2070TI
Threat Protection-TPS 2000-TPS 2150IS
Threat Protection-TPS 2000-TPS 2170IS
USP (SS7 Signaling)-Signaling Server-BB-STP
USP (SS7 Signaling)-Signaling Gtwy Blade-Signaling Gateway Blade
VPN Gateway-VPN Gateway-VPN 3050
VPN Gateway-VPN Gateway-VPN 3070
VPN Router-2000-Contivity 2600
VPN Router-4000-Contivity 4500
VPN Router-4000-Contivity 4600
VPN Router-SSL VPN-SSL VPN Module 1000
VPN Router-1000-VPN Router 1010
VPN Router-1000-VPN Router 1050
VPN Router-1000-VPN Router 1100
VPN Router-1000-VPN Router 1700
VPN Router-1000-VPN Router 1740
VPN Router-1000-VPN Router 1750
VPN Router-200-VPN Router 221
VPN Router-200-VPN Router 251
VPN Router-2000-VPN Router 2700
VPN Router-5000-VPN Router 5000
VPN Router-600-VPN Router 600
WiMAX-Network Management-NMS 5100 Core Manager
To view the most recent version of this bulletin, access technical
documentation, search our knowledge base, or to contact a Technical Support
Representative, please visit Nortel Technical Support on the web at:
http://support.nortel.com/. You may also sign up to receive automatic email
alerts when new bulletins are published.
REFERENCE: CVE-2008-5077
PRE-REQUIRED PATCH:
PATCH ID:
Copyright 2007 Nortel Networks. All rights reserved. Information in this
document is subject to change without notice. Nortel assumes no responsibility
for any errors that may appear in this document. The information in this
document is proprietary to Nortel Networks.
Nortel recommends any maintenance activities, such as those outlined in this
bulletin, be completed during a local maintenance window.
Nortel, the Nortel logo, and the Globemark design are trademarks of Nortel
Networks. All other trademarks are the property of their respective owners.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJrK9gNVH5XJJInbgRAuuFAJ4inch3xq3RKXQUyLJE51oz4PE16QCeNYZ/
JM3OhYOO9KAHSVq0KQLFkks=
=S8X4
-----END PGP SIGNATURE-----