Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0195 -- [Appliance] Nortel Response to OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability 3 March 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSL Publisher: Nortel Operating System: Network Appliance Impact: Provide Misleading Information Access: Remote/Unauthenticated CVE Names: CVE-2008-5077 Ref: AA-2009.0029 ESB-2009.0009 ESB-2009.0017 ESB-2009.0020 ESB-2009.0038 ESB-2009.0110 Original Bulletin: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653 - --------------------------BEGIN INCLUDED TEXT-------------------- Nortel Response to OpenSSL 'EVP_VerifyFinal' Function Signature Verification Vulnerability BULLETIN ID: 2009009350, Rev 1 PUBLISHED: 2009-02-26 STATUS: Active REGION: All PRIORITY: Critical TYPE: Security Advisory Source: 1. OpenSSL 07-Jan-2009 - http://www.openssl.org/news/secadv_20090107.txt 2. CVE-2008-5077 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 3. Secunia SA33338 - http://secunia.com/advisories/33338/ Overview: A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to conduct spoofing attacks. Some Nortel products contain this software as a component and thus are potentially affected. This bulletin provides a multi-product consolidated response for the Nortel products which are potentially affected. The vulnerability is caused due to certain OpenSSL functions not correctly verifying the return value of the "EVP_VerifyFinal()" function when validating the signature of DSA and ECDSA keys. This can be exploited to bypass the signature check, such as by sending a specially crafted signature of a certificate chain to a client. Successful exploitation requires that the server uses a certificate containing a DSA or ECDSA key. Please refer to the vendor link for additional information - http://www.openssl.org/news/secadv_20090107.txt This bulletin addresses the following CVE: - - CVE-2008-5077 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077) OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. Before taking any action please ensure that you are viewing the latest official version of this security advisory by referencing http://www.nortel.com/securityadvisories Symptoms: Please refer to the links provided in the Source section for additional information about the vulnerabilities addressed and the vendor fix. Please refer to the Resolution section for Nortel-specific recommendations. Prevention: Please refer to the links provided in the Source section for additional information about the vulnerabilities addressed and the vendor fix. Please refer to the Resolution section for Nortel-specific recommendations. Mitigation: Please refer to the links provided in the Source section for additional information about the vulnerabilities addressed and the vendor fix. Please refer to the Resolution section for Nortel-specific recommendations. Risk: Please refer to the links provided in the Overview section for additional information about the vulnerabilities addressed and the vendor fix. Please refer to the Resolution section for Nortel-specific recommendations. Resolution: 1. The following products are potentially vulnerable to this issue in that, while there is no direct dependency with the Nortel product, the affected component is incorporated. Please refer to product-specific text below for instructions on how to proceed. 3rd-Party - Sun Platform-OAME Carrier VoIP - MG 9000 . The risk is low because: a) We do not see DSA/ECDSA used in our system. b) It's hard to attack by this way (it requires the specially crafted certificates and to inject it into the system, root permission is required). Nortel does not recommend applying a fix at this time. Self-Service - Media Processing Svr 500, Media Processing Svr 1000, Peri Application . The following patches are under development and will be released as soon as possible: - - PERIdist, dist2.0.0.55 (Windows only - prerequisite for both vxml and htmls) - - PERIvxml, vxml2.3.0.61 (Solaris and Windows) - - htmls2.0.0.19 (Solaris and Windows) - - SUN vendor ssl patch for Solaris 10 The following patch is under test and will be released shortly: - - openssh for Solaris 8 only (NPopenSSH version 5.1.p1) Please request released patches through the normal channel for installation. Switched Firewall - 5300 (SFA-AD3), 5400 (SFA-AD4), 5600 (SFA-184), 5700 (SFA-185), SF-5014, SFA-6400, SFA-6600 . Fix is planned for release 4.2.5 due in June 2009. VPN Gateway - 3050, 3070 VPN Router - SSL VPN Module 1000 . The security exposure of a successful attack is high because confidential information is subject to exposure to the attacker. The risk of a successful implementation of the exploit is low due to the logistical difficulty in setting up an attack. The following actions mitigate or address this vulnerability: 1. Security measures that prevent a potential attacker from modifying configuration in the VPN Gateway and intranet DNS servers. 2. Use of RSA key rather than DSA and ECDSA keys. 3. Upgrade VPN Gateway software to release V7.0.7.1 or V7.1.3 Release V7.0.7.1 is available by contacting Nortel customer support. Release V7.1.3 will be generally available in April 2009. 2. The following products are not vulnerable to this security issue. Please review the list below to see any additional product-specific comments. ENSM - IP Address Manager 3. The following Nortel Generally Available products have not completed investigation to determine their vulnerability to the security issues. It is not recommended to apply the fix until Nortel's investigation is complete. This bulletin will be reissued if Nortel's investigation results in any change to this recommendation. Carrier VoIP - IAD 1104S CDMA - W-NMS-CNM, HA, PDSN FA DMS - PSP-Switching ENSM - IP Address Manager Enterprise VoIP - TM-CS1000, CS 1000M Chassis/Cabinet, CS 1000S Ethernet Rtng Switch 8661 Meridian Core - Option 11C - Cabinet, Option 11C - Chassis, Option 51C, Option 61C, Option 81C Meridian SL100 - CS 2100, CS 2100-Compact Multimedia Comm. - MCS5100, MCS5200 Multiservice Switch - MDM Services Edge Router - SER Bootrom, iSOS SSL Accelerator - SSL Acc 100, SSL Acc 310, SSL Acc 310 FIPS, SSL Acc 410 Switched Firewall - 5400 (SFA-AD4), ASF-5024, ASF-5105, ASF-5112, ASF-5130, SF-5106, SF-5109, SF-5114, SF/VPN 5124 Threat Protection - TPS 2050IS, TPS 2070DC, TPS 2070IS, TPS 2150IS, TPS 2170IS, TPS 2050TI, TPS 2070TI USP - BB-STP, Signalling Gateway Blade VPN Router - 221, 251, 1010, 1050, 1100, 1700, 1740, 1750, 2700, 5000 VPN Router - Contivity 2600, Contivity 4500, Contivity 4600 WiMAX - NMS 5100 Core Manager For more information from Nortel: Please contact your next level of support or visit http://www.nortel.com/contact for support numbers within your region. Nortel security advisories: http://www.nortel.com/securityadvisories Nortel Partner Information Center (PIC) website: http://www.nortel.com/pic Attachments: There are no attachments for this bulletin Products and Releases: The information in this bulletin is intended to be used with the following products and associated releases: PRODUCT RELEASE 3rd Party-Sun-Sun Platform-OAME CDMA-Packet Core-HA CDMA-Packet Core-PDSN FA CDMA-Network Management-W-NMS-CNM Carrier VoIP-IAD-IAD 1104S Carrier VoIP-Media Gateways-MG 9000 DMS-Network Management-PSP-Switching ENSM-IP Address Manager-IP Address Manager Enterprise VoIP-Core-CS 1000M Chassis/Cabinet Enterprise VoIP-Core-CS 1000S Enterprise VoIP-Applications-TM-CS1000 Ethernet Rtng Switch-Ethrnt Rtng Swt 8600-Ethernet Rtng Switch 8661 Meridian-SL100-CS 2100 Meridian-SL100-CS 2100-Compact Meridian-Core-Option 11C - Cabinet Meridian-Core-Option 11C - Chassis Meridian-Core-Option 51C Meridian-Core-Option 61C Meridian-Core-Option 81C Multimedia Comm.-MCS5100-MCS5100 Multimedia Comm.-MCS5200-MCS5200 Multiservice Switch-Network Management-MDM SSL Accelerator-SSL Accelerator-SSL Acc 100 SSL Accelerator-SSL Accelerator-SSL Acc 310 SSL Accelerator-SSL Accelerator-SSL Acc 310 FIPS SSL Accelerator-SSL Accelerator-SSL Acc 410 Self-Service-Media Processing Svr-Media Processing Svr 1000 Self-Service-Media Processing Svr-Media Processing Svr 500 Self-Service-Self-Service-Peri Application Services Edge Router-5500-SER Bootrom Services Edge Router-5500-iSOS Switched Firewall-Switched Firewall-5300 (SFA-AD3) Switched Firewall-Switched Firewall-5400 (SFA-AD4) Switched Firewall-Switched Firewall-5600 (SFA-184) Switched Firewall-Switched Firewall-5700 (SFA-185) Switched Firewall-Switched Firewall-ASF-5024 Switched Firewall-Switched Firewall-ASF-5105 Switched Firewall-Switched Firewall-ASF-5112 Switched Firewall-Switched Firewall-ASF-5130 Switched Firewall-Switched Firewall-SF-5014 Switched Firewall-Switched Firewall-SF-5106 Switched Firewall-Switched Firewall-SF-5109 Switched Firewall-Switched Firewall-SF-5114 Switched Firewall-Switched Firewall-SF/VPN 5124 Switched Firewall-Switched Firewall-SFA-6400 Switched Firewall-Switched Firewall-SFA-6600 Threat Protection-TPS 2000-TPS 2050IS Threat Protection-TPS 2000-TPS 2050TI Threat Protection-TPS 2000-TPS 2070DC Threat Protection-TPS 2000-TPS 2070IS Threat Protection-TPS 2000-TPS 2070TI Threat Protection-TPS 2000-TPS 2150IS Threat Protection-TPS 2000-TPS 2170IS USP (SS7 Signaling)-Signaling Server-BB-STP USP (SS7 Signaling)-Signaling Gtwy Blade-Signaling Gateway Blade VPN Gateway-VPN Gateway-VPN 3050 VPN Gateway-VPN Gateway-VPN 3070 VPN Router-2000-Contivity 2600 VPN Router-4000-Contivity 4500 VPN Router-4000-Contivity 4600 VPN Router-SSL VPN-SSL VPN Module 1000 VPN Router-1000-VPN Router 1010 VPN Router-1000-VPN Router 1050 VPN Router-1000-VPN Router 1100 VPN Router-1000-VPN Router 1700 VPN Router-1000-VPN Router 1740 VPN Router-1000-VPN Router 1750 VPN Router-200-VPN Router 221 VPN Router-200-VPN Router 251 VPN Router-2000-VPN Router 2700 VPN Router-5000-VPN Router 5000 VPN Router-600-VPN Router 600 WiMAX-Network Management-NMS 5100 Core Manager To view the most recent version of this bulletin, access technical documentation, search our knowledge base, or to contact a Technical Support Representative, please visit Nortel Technical Support on the web at: http://support.nortel.com/. You may also sign up to receive automatic email alerts when new bulletins are published. REFERENCE: CVE-2008-5077 PRE-REQUIRED PATCH: PATCH ID: Copyright 2007 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel assumes no responsibility for any errors that may appear in this document. The information in this document is proprietary to Nortel Networks. Nortel recommends any maintenance activities, such as those outlined in this bulletin, be completed during a local maintenance window. Nortel, the Nortel logo, and the Globemark design are trademarks of Nortel Networks. All other trademarks are the property of their respective owners. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFJrK9gNVH5XJJInbgRAuuFAJ4inch3xq3RKXQUyLJE51oz4PE16QCeNYZ/ JM3OhYOO9KAHSVq0KQLFkks= =S8X4 -----END PGP SIGNATURE-----