Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2251
Multiple OpenSSL vulnerabilities
26 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openssl
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-6306 CVE-2016-6304 CVE-2016-6303
CVE-2016-6302 CVE-2016-2182 CVE-2016-2181
CVE-2016-2180 CVE-2016-2179 CVE-2016-2178
CVE-2016-2177
Reference: ESB-2016.2238
Original Bulletin:
https://security.freebsd.org/advisories/FreeBSD-SA-16:26.openssl.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-16:26.openssl Security Advisory
The FreeBSD Project
Topic: Multiple OpenSSL vulnerabilities
Category: contrib
Module: openssl
Announced: 2016-09-23
Credits: OpenSSL Project
Affects: All supported versions of FreeBSD.
Corrected: 2016-09-22 14:57:48 UTC (stable/11, 11.0-STABLE)
2016-09-22 15:55:27 UTC (releng/11.0, 11.0-RELEASE)
2016-09-22 15:05:38 UTC (stable/10, 10.3-STABLE)
2016-09-23 07:48:34 UTC (releng/10.3, 10.3-RELEASE-p8)
2016-09-23 07:48:34 UTC (releng/10.2, 10.2-RELEASE-p21)
2016-09-23 07:48:34 UTC (releng/10.1, 10.1-RELEASE-p38)
2016-09-23 07:44:10 UTC (stable/9, 9.3-STABLE)
2016-09-23 07:48:34 UTC (releng/9.3, 9.3-RELEASE-p46)
CVE Name: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180,
CVE-2016-2181, CVE-2016-2182, CVE-2016-6302, CVE-2016-6303,
CVE-2016-6304, CVE-2016-6306
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
A malicious client can send an excessively large OCSP Status Request extension.
If that client continually requests renegotiation, sending a large OCSP Status
Request extension each time, then there will be unbounded memory growth on the
server. [CVE-2016-6304]
An overflow can occur in MDC2_Update() either if called directly or through
the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply
very large amounts of input data after a previous call to EVP_EncryptUpdate()
with a partial block then a length check can overflow resulting in a heap
corruption. [CVE-2016-6303]
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash. [CVE-2016-6302]
The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.
[CVE-2016-2182]
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
the total length the OID text representation would use and not the amount
of data written. This will result in OOB reads when large OIDs are presented.
[CVE-2016-2180]
Some calculations of limits in OpenSSL have used undefined pointer arithmetic.
This could cause problems with some malloc implementations. [CVE-2016-2177]
Operations in the DSA signing algorithm should run in constant time in order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
a non-constant time codepath is followed for certain operations. [CVE-2016-2178]
In a DTLS connection where handshake messages are delivered out-of-order those
messages that OpenSSL is not yet ready to process will be buffered for later
use. Under certain circumstances, a flaw in the logic means that those messages
do not get removed from the buffer even though the handshake has been completed.
An attacker could force up to approx. 15 messages to remain in the buffer when
they are no longer required. These messages will be cleared when the DTLS
connection is closed. The default maximum size for a message is 100k. Therefore
the attacker could force an additional 1500k to be consumed per connection.
[CVE-2016-2179]
A flaw in the DTLS replay attack protection mechanism means that records that
arrive for future epochs update the replay protection "window" before the MAC
for the record has been validated. This could be exploited by an attacker by
sending a record for the next epoch (which does not have to decrypt or have a
valid MAC), with a very large sequence number. This means that all subsequent
legitimate packets are dropped causing a denial of service for a specific
DTLS connection. [CVE-2016-2181]
In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.
[CVE-2016-6306]
III. Impact
A remote attacker can cause OpenSSL server, regardless whether OCSP is supported,
to have unbounded memory growth, and eventually lead to a Denial of Service.
[CVE-2016-6304]
If an attacker is able to supply very large amounts of input data after a previous
call to EVP_EncryptUpdate() with a partial block then a length check can overflow
resulting in a heap corruption. [CVE-2016-6303]
An attacker who can send a malformed ticket to the server can cause an OOB read
which will ultimately lead to a crash, resulting in a Denial of Service.
[CVE-2016-6302]
A local attacker can cause an application that parses overly large certificate or
CRL to crash. TLS is not affected. [CVE-2016-2182]
A local attacker who can create a specially-crafted time stamp file and pass it
through the "ts" command of openssl(1) can cause it to crash. This functionality
is not used by the SSL/TLS implementation. [CVE-2016-2180]
Some OpenSSL code is questionable to integer overflow, which may lead to heap
corruption. [CVE-2016-2177]
An attacker may recover the private DSA key by conducting timing attack.
[CVE-2016-2178]
A remote attacker may cause a DTLS server to exhaust memory, resulting in a
Denial of Service. [CVE-2016-2179]
A remote attacker who can send DTLS records can cause the server to drop all
subsequent packets for a specific connection. [CVE-2016-2181]
A remote attacker can, in theory, cause OOB reads if the server enabled client
authentication. [CVE-2016-6306]
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all daemons that use the library, or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all daemons that use the library, or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.3]
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.3.patch
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.3.patch.asc
# gpg --verify openssl-10.3.patch.asc
[FreeBSD 10.1 and 10.2]
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.2.patch
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.2.patch.as
# gpg --verify openssl-10.2.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-9.3.patch.as
# gpg --verify openssl-9.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/9/ r306229
releng/9.3/ r206230
stable/10/ r306196
releng/10.1/ r206230
releng/10.2/ r206230
releng/10.3/ r206230
stable/11/ r306195
releng/11.0/ r306198
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20160922.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.13 (FreeBSD)
iQIcBAEBCgAGBQJX5N+CAAoJEO1n7NZdz2rnRZEP/2/fe1c3tLZZAPguwphI7NFK
DoGODy5Uj/pMdMv2ZvSJaNFKX5bo4ph2mCtA3rxFhFX4PEDaRoZc4BIlN470qdDe
soBV0mJEHC8r0z8cw6WYbh4wbd2yYy2x95LFi3g/04udctGQyxWmEzkzjzT8SqxU
EMoZYZuYQTvr8paQGiUizLu61AFDM2sZhU8yW4euxxiIREbFTO8rC7DMAk3mKfNk
Og1NN6uVK7+AgxZRJtfrKPftdwGPfKPQKgR731goAghQihThNNDvQ8OdDwj8Mlh1
KI8u+GaVKUTfgS2Ra9a291nEqV0EHZkY3zSpp4LeCY93gpFQeEhS5M/32oFheP4+
qNQZdvDzKVBKT1NTzgDbMN++56/h0FDa9NkIQbZI9TwkOTbLeGNMWtC46Ngza3tz
avlSxxckCwelvmZcjntU3MakdWQhIgMRFvOzVDgfL+erUi3kot0+kgiXq+cn0UEa
ZHOCJWIzAh/PJGPNOJl71Ji3qb6iUJx31HmVLxyoofbfKmNsg72/ROqUgBLCYO3s
kW77yMNYEBAzdxeep8oNwMat9bZbxnhvAbr2v934SIndLQ5FtDJ/OdiCq3oXMbyE
uLFTjqGaTur7z26bibT72l4OEy7Qkt5G1EqefxTGHpY0UQhjQQVFWjwbFYq9RT40
60v4DC15ArshCN6tuyWt
=8wR6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV+hsUox+lLeg9Ub1AQj84w/9Gwai32SBLlLSoTktIxAWCEXA7ZagCxYv
C76RUhpZWZXGiacIOO6JlYsH3gJV0gZRBor/ynmWJDvdR+AvMurigvmg8id7+km0
Jcxm2r/t+E73miidF7sltND1W0HUtfgNpMrXN/eF2cRVtcEhMwBqME2jvDiTRi8a
n879xhExxtpaw3DndTEfeT8FPbXqLkQzCTgPfKaclb7kmLcsfx2RnMDwp7jri7kd
Sow2MCcqIGG4e/FGmOsEz4aeh0AU4UCbQa6FyEaBJIFULmzDAeW+F2IJpJCRTxC2
WvR6HiXFkUCaVI5JxPTfbyVUuW6KtTyH1ZMjc48ZfH5jOhPQtFygwEp7jd9XHYnv
E33EPnMr68phNnxoEMgwixsl90m7kgYqBTzq1oQSIpaI0Bsx9dm1VXoSqDBRi3Tn
6RImThM9fD9rpGNQQAttx8cDgFiYOxvFAfk3wauIVfzM/EbSNB+Ff/Hs7PhS/992
1BP4C1BNQzJssUEHBlcFQ/P4f76Hr6WlN0aC1Jud/Lp4iN8LBREksivmgPqlfbKX
fD4CaT8UjJ2+aXU/xq6Xf3eniGn2hj0tBIzJwRn5IoD3tKb1hDDnyHr/UQl66ASV
ie395hFHPvo60V43B6nDhBwiba6SAK5ONR+QPaBIzhrV46kx7f4pmDUUJWRj01X2
GTKSKf/Wlxs=
=mXYk
-----END PGP SIGNATURE-----