Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0732 Multiple OpenSSL vulnerabilities 3 August 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSL Publisher: IBM Operating System: AIX VIOS Impact/Access: Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2333 CVE-2012-2131 CVE-2012-2110 CVE-2012-1165 CVE-2012-0884 CVE-2006-7250 Reference: ESB-2012.0480 ESB-2012.0467 ESB-2012.0388 ESB-2012.0269 Original Bulletin: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed Aug 1 09:25:58 CDT 2012 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc or ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc VULNERABILITY SUMMARY VULNERABILITY: Multiple OpenSSL vulnerabilities PLATFORMS: AIX 5.3, 6.1, 7.1, and earlier releases VIOS 2.X SOLUTION: Apply the fix as described below. THREAT: See below CVE Numbers: CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 DETAILED INFORMATION I. DESCRIPTION ( From cve.mitre.org) CVE-2012-0884 The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. CVE-2012-1165 The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. CVE-2012-2110 The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. CVE-2012-2131 Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. CVE-2012-2333 Integer underflow in OpenSSL when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. Please see the following for more information: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333 II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L openssl.base On VIO Server: oem_setup_env lslpp -L openssl.base The following fileset levels are vulnerable: AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1801 AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1801 VIOS 2.X: all versions less than or equal 0.9.8.1801 IMPORTANT: If AIX OpenSSH is in use, it must be updated to version OpenSSH 5.0 or later, depending on the OpenSSL version according to following compatibility matrix: AIX OpenSSL OpenSSH ------------------------------------------------------------------ 5.3,6.1,7.1 OpenSSL 0.9.8.18xx OpenSSH 5.8.0.61xx 5.3,6.1,7.1 OpenSSL-fips 12.9.8.18xx OpenSSH 5.8.0.61xx VIOS OpenSSL OpenSSH ------------------------------------------------------------------ 2.X OpenSSL 0.9.8.18xx OpenSSH 5.8.0.61xx AIX OpenSSH can be downloaded from: OpenSSH 5.0: http://sourceforge.net/projects/openssh-aix OpenSSH 5.8.0.61xx https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp III. FIXES A fix is available, and it can be downloaded from: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp To extract the fixes from the tar file: zcat openssl-0.9.8.1802.tar.Z | tar xvf - or zcat openssl-fips-12.9.8.1802.tar.Z | tar xvf - IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview the fix installation: installp -apYd . openssl To install the fix package: installp -aXYd . openssl IV. WORKAROUNDS There are no workarounds. V. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt C. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFQGUgw4fmd+Ci/qhIRAntWAJ91cc2j3KRo7dyf2pJvO5PQQWnFhgCglCr7 BZQ4mgB+gDWQiy3UZujbZH4= =3+Iy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUBtCHe4yVqjM2NGpAQJ4hQ//dIRIBTPmi/Jr4BmBUl72a5eDSc/LTmQ0 e1QZ8nJqpr8KlHP1lv34Wdz67yfLzoRBR4oUXtcDM5ibTX+5xgfpaqdIdlwD8qGr Ytic7NMB230KYeUXchM5zxBfnCTkGKEk4h4yNgbPayhzSd82rqB8O2pIPk0Opgb+ SEgXOYrYYHbdi8xDam14lbZEGbQbOBpCY05nyc/Qxb+6CgYMPGoSwanajqSqRnIR iBwqS31x4wWvb6D3/Hhl+xwnm/2PwGnLPErc3gGgXS0w2d3fGhe+suoZ298Pf/N3 cgOgVUhYJUVIA/VIvWrAxviNVyRDiPRCHoD7wqbdRgcNwgHFOEwqaWiniCWvqvQG IAnouXz/r88Q2/hHsetvEwRunB9PTGvElZp2lZRPlpZK2DNcES8laYfoOXmc5slo BX4B4KqD1W8at39vEHy4kELOHL99TzqDHNP6dhoxMahAIb/lvN4dI1WImo1ZgI3l 7GRRidR+udiAIty4yfnAtNdhdAHZSX+F5P38yUBeR1zP52xy+g68IVOhqoIrGXvA g57BnGJkDgV0g58kmFGYswKKX4YNxZnBVneyiP1+iao8asNlWmE29kyYk42uTM62 mKOxUtZGOi1R2LQuUhXmDvZPrdCkqKrjOAbQbs/PwFpk/nhFh/eb1IZ7Zc3XkgCT rTAjt/7oBlE= =csg1 -----END PGP SIGNATURE-----