Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0951
Multiple OpenSSL vulnerabilities
11 June 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: NetBSD
Operating System: NetBSD
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3470 CVE-2014-0224 CVE-2014-0221
CVE-2014-0198 CVE-2014-0195 CVE-2014-0076
CVE-2010-5298
Reference: ESB-2014.0946
ESB-2014.0932
ESB-2014.0887
Original Bulletin:
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-006.txt.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2014-006
=================================
Topic: Multiple OpenSSL vulnerabilities
Version: NetBSD-current: June 5th, 2014
NetBSD 6.1 - 6.1.4: affected
NetBSD 6.0 - 6.0.5: affected
NetBSD 5.1 - 5.1.4: affected
NetBSD 5.2 - 5.2.2: affected
Severity: MitM, Remote Code Execution, Remote DoS
Fixed: NetBSD-current: June 5th, 2014
NetBSD-6-0 branch: June 6th, 2014
NetBSD-6-1 branch: June 6th, 2014
NetBSD-6 branch: June 6th, 2014
NetBSD-5-2 branch: June 6th, 2014
NetBSD-5-1 branch: June 6th, 2014
NetBSD-5 branch: June 6th, 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
SSL/TLS MITM vulnerability (CVE-2014-0224)
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
Anonymous ECDH denial of service (CVE-2014-3470)
only in NetBSD-6 and NetBSD-current:
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
only in NetBSD-5 (previously fixed in NetBSD-6 and NetBSD-current):
Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache
Side-channel Attack (CVE-2014-0076)
Technical Details
=================
See http://www.openssl.org/news/secadv_20140605.txt
Solutions and Workarounds
=========================
Update the OpenSSL libraries and make sure the old libssl and libcrypto
are no longer used.
- - From source:
- - ------------
Update src and rebuild and install.
Note: OpenSSL in NetBSD-6 and NetBSD-current has been updated to
version 1.0.1h; updating the entire src tree is recommended.
- - From tarballs:
- - --------------
The NetBSD build cluster is currently undergoing hardware maintenance;
it may be a while before builds run again.
To obtain fixed binaries, fetch the appropriate base.tgz and comp.tgz
from a daily build later than the fix dates, from
http://nyftp.netbsd.org/pub/NetBSD-daily/<rel>/<date>/<arch>/binary/sets/
with a date 20140607* or larger, and your release version and architecture
(e.g. http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201406070100Z/amd64/binary/sets/),
and then extract the files:
Shared libraries:
tar xzpf base.tgz \*libssl\* \*libcrypto\*
And static libraries and linker config files:
tar xzpf comp.tgz \*libssl\* \*libcrypto\*
Get the fixed library into use
- - ------------------------------
Since the vulnerability is in a shared library, getting the old
library purged and the fixed one into use requires restarting
all programs that load libssl and libcrypto.
The easiest way to do this is to reboot the system.
Another method: using /bin/sh,
ps ax -o pid | (while read pid; do \
pmap $pid | egrep '(libssl|libcrypto)' && echo found $pid ;\
done)
will find non-chrooted programs that have the affected libraries open;
restart them. sshd will not show up in this list since it runs chrooted
and re-exec'ed but also needs to be restartet.
ldd <programname> will show the shared libraries a programs is wont to use.
Lastly, remove the vulnerable library to make sure it won't get used
accidentially:
rm /usr/lib/libssl.so.10.0
Fixed versions
- - --------------
files relative to src/crypto/external/bsd/openssl/dist/ssl
branch d1_both.c s3_clnt.c s3_pkt.c s3_srvr.c ssl3.h
- - ---------- --------------- ----------- ----------- ------------ ----------
netbsd-6-0 1.1.1.4.4.1.4.2 1.4.4.1.4.2 1.9.4.1.4.2 1.10.2.1.4.2 1.2.2.1.4.2
netbsd-6-1 1.1.1.4.4.1.6.2 1.4.4.1.6.2 1.9.4.1.6.2 1.10.2.1.6.2 1.2.2.1.6.2
netbsd-6 1.1.1.4.4.3 1.4.4.3 1.9.4.3 1.10.2.3 1.2.2.3
HEAD 1.1.1.8 1.9 1.16 1.16 1.6
files relative to crypto/dist/openssl/ssl
branch d1_both.c s3_clnt.c s3_pkt.c s3_srvr.c ssl3.h
- - ---------- ----------- ------------ ----------- ------------ --------
netbsd-5-1 1.3.4.2.2.1 1.12.4.2.2.2 1.9.4.3.2.1 1.15.4.3.2.2 1.8.12.1
netbsd-5-2 1.3.4.2.6.1 1.12.4.3.4.1 1.9.4.3.6.1 1.15.4.4.4.1 1.8.2.1
netbsd-5 1.3.4.3 1.12.4.4 1.9.4.4 1.15.4.5 1.8.4.1
files relative to crypto/dist/openssl/crypto
branch bn/bn.h bn/bn_lib.c ec/ec2_mult.c
- - ---------- --------- ----------- -------------
netbsd-5-1 1.12.12.1 1.7.12.1 1.1.1.2.12.1
netbsd-5-2 1.12.2.1 1.7.2.1 1.1.1.2.2.1
netbsd-5 1.12.4.1 1.7.4.1 1.1.1.2.4.1
Thanks To
=========
The OpenSSL team acknowledges:
KIKUCHI Masashi (Lepidum Co. Ltd.) for CVE-2014-0224
Imre Rad (Search-Lab Ltd.) for CVE-2014-0221
Jüri Aedla for CVE-2014-0195
Felix Gröbert and Ivan Fratrić at Google for CVE-2014-3470
Yuval Yarom and Naomi Benger for CVE-2014-0076
for discovering the vulnerabilities, and
Stephen Henson and Matt Caswell of OpenSSL and KIKUCHI Masashi
for developing fixes.
Revision History
================
2014-06-09 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-006.txt,v 1.1 2014/06/09 19:22:28 tonnerre Exp $
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTlgmUAAoJEAZJc6xMSnBuHz4P/ix8hrL9dyP5IJ8pT6d8px2t
g0xSUljKZyacOsnL2YpyI54iNr3fgnGfxETPh/XERFN09GBgH+MdCZtbDaMie3Ao
qhVw7Ti5cb/ONWogvjU3UPNxeVSQnKN0+8R0QGRXjk410R04g/O/bckcB8syO12B
RGuSXma0HUGqcPDogNFhf0dQTNrYR7NnFUTCYoIarpKRhYinaW2N0FNPudg64dK+
RB5BPWf6iXEXzuRcWb/v4DV2dglcm1sFlWkdVZAjX7qphuC8EJOznBR6ez58A0Cp
FRNN5+dp1+vMlOa9kFzQbhjfffjyb7vfU58zkhFZF32b09+G6HoI7iOQKDEcVLwY
0Da/NjP1GfbWpnnxw4TXnSkBb7CzcnN0dakLAElmR1yOipeMzEFTpcnlO6+ou3J5
irUIrqptNA72b2+rZywN3hMgfh8SOdS52DG1Z76yNgrQnOyI+wcA/d3f0zfryHmW
Lu4QpVDMjYpA9cOJwgpXsMNQnSJ+xMqNycH9Vmh4yb/uKoqRv4G0ZX0bViBg7Upy
kwpvOfV4pwEEvW9G0NW5RyZn7NofP9lS/n8D0qHDedADX2XiRzkoYbwTOfVwnPLD
OXGPvzlGRwnDTJ82FiPrGYhjA3z3TIeWgKDmSsLZEGIt3yz6M5OsXS0uaLfgFsWT
kQe4afyjahOlobv1XOMo
=0t7m
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU5fwpBLndAQH1ShLAQIeIg/+K2a8v7f1uz74LRYGI+VlfAKpIBahtG4I
MM7vYrNUCsbKlFUo5h8j113IzYoJ2+eptNc4hQtxCloaBgTqgJ7VjYUC5bJBSd4R
oCCqBs+kQ7fR4OmJK4oD7ihGyPx84KNGVHsVzVziPkGBzdX9ri//iIuJNP5zLp2D
xLkkbbwZGiWPUnSeu98x+PZso1bcQkkjcPh5zUtdp+4RheqYkvfcCLp81ukKxyj7
UV38+YNI2yCQR+SPj/SayigOspsGSSf60zt0Ua2tgXVORF/GkJHezZYlW57pAsed
zCUu5gISSyxPDIXiEj8lPwadBoibpQ/+Ac3zPwArgfomRnuUqNtXFMgfzpj8FsBU
VdExikcDQJyxn4ExtAo9PiAITX1WZJQ74ABrxHtWvgXEHAc5mEZlxQvBaJ/L3bxl
DmdePj7OE1Xp/R+qMCTCJgrmFkD5dlm7pjUaVhds067UZ/XwfBlngdBDl/ZCw/Dl
TEH/6R/exKiqNNO6z+MkPm3l4bOdPNAZLIFS31kWIZXAO2jnXgLWPV/SWpF+m6uw
lKNAZnCEpM150ZV59yxuPdWpxmZlVESzRZ91DEz6KnIuX9Omz6s4W/DBuRjilims
0ouw6xZBJ1yL+vjRD4pve4dTeIcL0zSioJPDlXYivhnZ1vm2W8coNg7dnoHgAUco
GzrMIqyh5tI=
=kUzs
-----END PGP SIGNATURE-----