More OpenSSL security fixes

BoerenkoolMetWorst · Aug 7, 2014

And here we go again:

OpenSSL 0.9.8 users should upgrade to 0.9.8.zb
OpenSSL 1.0.0 users should upgrade to 1.0.0n.
OpenSSL 1.0.1 users should upgrade to 1.0.1i.

OpenSSL Security Advisory [6 Aug 2014]
========================================

Information leak in pretty printing functions (CVE-2014-350
=============================================================

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from the
stack. Applications may be affected if they echo pretty printing output to the
attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.

OpenSSL 0.9.8 users should upgrade to 0.9.8zb
OpenSSL 1.0.0 users should upgrade to 1.0.0n.
OpenSSL 1.0.1 users should upgrade to 1.0.1i.

Thanks to Ivan Fratric (Google) for discovering this issue. This issue
was reported to OpenSSL on 19th June 2014.

The fix was developed by Emilia Käsper and Stephen Henson of the OpenSSL
development team.

Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
==================================================================

The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This can
be exploited through a Denial of Service attack.

OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.

Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering and
researching this issue. This issue was reported to OpenSSL on 2nd July 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
==============================================================

If a multithreaded client connects to a malicious server using a resumed session
and the server sends an ec point format extension it could write up to 255 bytes
to freed memory.

OpenSSL 1.0.0 SSL/TLS client users should upgrade to 1.0.0n.
OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i.

Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue. This issue was reported to OpenSSL on 8th July 2014.

The fix was developed by Gabor Tyukasz.

Double Free when processing DTLS packets (CVE-2014-3505)
========================================================

An attacker can force an error condition which causes openssl to crash whilst
processing DTLS packets due to memory being freed twice. This can be exploited
through a Denial of Service attack.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

Thanks to Adam Langley and Wan-Teh Chang (Google) for discovering and
researching this issue. This issue was reported to OpenSSL on 6th June
2014.

The fix was developed by Adam Langley.

DTLS memory exhaustion (CVE-2014-3506)
======================================

An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a Denial of
Service attack.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

Thanks to Adam Langley (Google) for discovering and researching this
issue. This issue was reported to OpenSSL on 6th June 2014.

The fix was developed by Adam Langley.

DTLS memory leak from zero-length fragments (CVE-2014-3507)
===========================================================

By sending carefully crafted DTLS packets an attacker could cause openssl to
leak memory. This can be exploited through a Denial of Service attack.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i.

Thanks to Adam Langley (Google) for discovering and researching this
issue. This issue was reported to OpenSSL on 6th June 2014.

The fix was developed by Adam Langley.

OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
===============================================================

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a
denial of service attack. A malicious server can crash the client with a null
pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and
sending carefully crafted handshake messages.

OpenSSL 0.9.8 DTLS client users should upgrade to 0.9.8zb
OpenSSL 1.0.0 DTLS client users should upgrade to 1.0.0n.
OpenSSL 1.0.1 DTLS client users should upgrade to 1.0.1i.

Thanks to Felix Gröbert (Google) for discovering and researching this issue.
This issue was reported to OpenSSL on 18th July 2014.

The fix was developed by Emilia Käsper of the OpenSSL development team.

OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
=====================================================

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message is
badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a higher
protocol version, by modifying the client's TLS records.

OpenSSL 1.0.1 SSL/TLS server users should upgrade to 1.0.1i.

Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue. This issue was reported to OpenSSL on 21st July 2014.

The fix was developed by David Benjamin.

SRP buffer overrun (CVE-2014-3512)
==================================

A malicious client or server can send invalid SRP parameters and overrun
an internal buffer. Only applications which are explicitly set up for SRP
use are affected.

OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1i.

Thanks to Sean Devlin and Watson Ladd (Cryptography Services, NCC
Group) for discovering this issue. This issue was reported to OpenSSL
on 31st July 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

References
==========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20140806.txt

Note: the online version of the advisory may be updated with additional
details over time.
Click to expand...

https://www.openssl.org/news/secadv_20140806.txt

BoerenkoolMetWorst · Aug 7, 2014

New OpenVPN for Windows installers available with updated bundled OpenSSL:
http://openvpn.net/index.php/download/community-downloads.html

ronjor · Jan 8, 2015

Open SSL - 08-Jan-2015: Security Advisory: eight security fixes
Click to expand...

https://www.openssl.org/news/

ronjor · Jul 6, 2015

OpenSSL Preparing Updates to Patch High Severity Vulnerability

By Eduard Kovacs on July 06, 2015

OpenSSL versions 1.0.2d and 1.0.1p will be released later this week to address a serious security bug, the OpenSSL Project Team announced on Monday.
Click to expand...

http://www.securityweek.com/openssl-preparing-updates-patch-high-severity-vulnerability

RockLobster · Jul 6, 2015

I'd like to know why firefox (who claim our security and privacy is a priorty, *cough* * cough*) doesn't support the stronger cipher suites that opensll does.

elapsed · Jul 7, 2015

RockLobster said: ↑

I'd like to know why firefox (who claim our security and privacy is a priorty, *cough* * cough*) doesn't support the stronger cipher suites that opensll does.
Click to expand...

Different project, different team, different work pace.

Which ones are missing by the way?

RockLobster · Jul 9, 2015

elapsed said: ↑

Different project, different team, different work pace.

Which ones are missing by the way?
Click to expand...

Firefox uses openssl so surely the same ciphers should be in it ?
Forefox only supports two of the TLSv1.2 cipher suites. Most of the firefox cipher suites are SSLv3

The two TLSv1.2 suites Firefox supports are;
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256

The ones missing are all the strongest TLS v1.2 ciphers. At least some of which meet the NSA suite B cryptography standard.

openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384

ronjor · Jul 9, 2015

OpenSSL Security Advisory [9 Jul 2015]
=======================================

Alternative chains certificate forgery (CVE-2015-1793)
======================================================

Severity: High

During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.
Click to expand...

https://www.openssl.org/news/secadv_20150709.txt

summerheat · Jul 9, 2015

RockLobster said: ↑

Most of the firefox cipher suites are SSLv3
Click to expand...

I'm not an expert but I think that's incorrect. The removal of SSLv3 support was announced in Oct. 2014 for v. 34. I'm not sure, though, if that removal was delayed as the releasenotes for v. 39 says:

Removed support for insecure SSLv3 for network communications
Click to expand...

And regarding those security.ssl3... entries in about:config Daniel Veditz wrote:

Those preferences are badly named, or perhaps it would be more accurate to say they are “historically” named. Since only programmers were expected to see those internal names no one bothered to change all the names from security.ssl3. to security.tls.. Those preferences control which ciphersuites are enabled for both SSLv3 and TLS, and if you turn them all off then you will not be able to connect to any TLS servers.
Click to expand...

BoerenkoolMetWorst · Jul 9, 2015

Firefox uses NSS, not OpenSSL
The 256 bit AES-GCM ciphers are indeed still missing. Firefox only supports 128 bit AES-GCM with ECDHE_ECDSA and ECDHE_RSA. Chrome(also uses NSS) does support those, but also only 128 bit.
They chose not to support plain RSA because it lacks Forward Secrecy and DHE_RSA because a lot of servers are configured with only 1024 bit, though more are switching to 2048 after Logjam.
I would encourage people to vote here on adding 256 bit AES-GCM to Firefox.
https://bugzilla.mozilla.org/show_bug.cgi?id=975832
https://bugzilla.mozilla.org/show_bug.cgi?id=923089
https://bugzilla.mozilla.org/show_bug.cgi?id=973755

Btw, @summerheat is correct on the SSLv3.

RockLobster · Jul 9, 2015

summerheat said: ↑

I'm not an expert but I think that's incorrect. The removal of SSLv3 support was announced in Oct. 2014 for v. 34. I'm not sure, though, if that removal was delayed as the releasenotes for v. 39 says:

And regarding those security.ssl3... entries in about:config Daniel Veditz wrote:
Click to expand...

Well there is a distinction to be made between the protocol version and the cipher suites.
The cipher suites I marked as TLSv1.2 cipher suites are only compatible with TLSv1.2
TLS is backwards compatible with the SSL cipher suites so the cipher suites from SSLv3 work with TLS.
Although the Firefox devs implemented TLSv1.2 some time ago they only implemented two of the new TLSv1.2 ciphers the rest of them are all legacy ciphers from SSLv3 and I do not see any legitimate reason for this.

I know the preferences in firefox are named SSL regardless of the protocol but the firefox config naming policy is not what I was referring to.

RockLobster · Jul 9, 2015

BoerenkoolMetWorst said: ↑

Firefox uses NSS, not OpenSSL
Click to expand...

Ahhh that explains a lot. NSS is owned by Mozilla...

BoerenkoolMetWorst · Jul 10, 2015

RockLobster said: ↑

Although the Firefox devs implemented TLSv1.2 some time ago they only implemented two of the new TLSv1.2 ciphers the rest of them are all legacy ciphers from SSLv3 and I do not see any legitimate reason for this.
Click to expand...

Yes, I agree with that. Though most the rest of the ciphers are not from SSLv3, but TLSv1.0 and extensions for TLSv1.0.

ronjor · Nov 30, 2015

OpenSSL to Patch Several Vulnerabilities
By Eduard Kovacs on November 30, 2015

OpenSSL updates scheduled for release on December 3 will address several vulnerabilities, the OpenSSL Project announced on Monday.
Click to expand...

http://www.securityweek.com/openssl-patch-several-vulnerabilities

ronjor · Dec 3, 2015

OpenSSL Patches Moderate Severity Vulnerabilities
By Eduard Kovacs on December 03, 2015

The OpenSSL Project has once again reminded users that these will likely be the last updates for OpenSSL 1.0.0 and 0.9.8 as these versions will no longer be supported starting with January 1, 2016.
Click to expand...

http://www.securityweek.com/openssl-patches-moderate-severity-vulnerabilities

ronjor · Jan 25, 2016

OpenSSL to Patch High Severity Vulnerability
By Eduard Kovacs on January 25, 2016

The OpenSSL Project announced today that upcoming releases of the cryptographic software library will address two security flaws.
Click to expand...

lotuseclat79 · Jan 29, 2016

High-severity bug in OpenSSL allows attackers to decrypt HTTPS traffic.

OpenSSL maintainers release update that fixes key-recovery bug. Patch now.
Click to expand...

-- Tom

ronjor · Feb 25, 2016

OpenSSL Preparing Patches for High Severity Flaws
By Eduard Kovacs on February 25, 2016

The OpenSSL Project announced today that it will release versions 1.0.2g and 1.0.1s to patch several vulnerabilities, including ones rated “high severity.”
The updates are scheduled for release on March 1 between 1pm and 5pm UTC, OpenSSL developers informed users.
Click to expand...

ronjor · Mar 1, 2016

OpenSSL Security Advisory [1st March 2016]
=========================================

NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176
Click to expand...

https://www.openssl.org/news/secadv/20160301.txt

Palancar · Mar 1, 2016

Yep, I noticed Debian fired out some of the ssl stuff today on my VM's.

ronjor · Apr 28, 2016

OpenSSL to Patch High Severity Vulnerabilities
By Eduard Kovacs on April 28, 2016 The OpenSSL Project announced on Thursday that it’s preparing patches for several vulnerabilities affecting the crypto library.
Click to expand...

ronjor · May 3, 2016

OpenSSL Patches Two High-Severity Vulnerabilities
by Michael Mimoso Follow @mike_mimoso May 3, 2016 , 12:17 pm

The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h.
Click to expand...

https://threatpost.com/openssl-patches-two-high-severity-vulnerabilities/117792/

ronjor · May 31, 2016

Recently Patched OpenSSL Flaw Still Plagues Top Sites
By Eduard Kovacs on May 30, 2016

An OpenSSL vulnerability patched in early May with the release of versions 1.0.2h and 1.0.1t still hasn’t been patched on many of the world’s most visited websites, exposing potentially sensitive traffic to man-in-the-middle (MitM) attacks.
Click to expand...

http://www.securityweek.com/recently-patched-openssl-flaw-still-plagues-top-sites

itman · May 31, 2016

Guess people will just have to start using QUALS SSL Server test: https://dev.ssllabs.com/ssltest/ whenever they want to perform e-commerce activities with a web site.

I personally just using the tried and true phone connection more and more for my retail activities.

haakon · May 31, 2016

itman said: ↑

QUALS SSL Server test
Click to expand...

Yeah, that's great tool. Some results are absolutely horrific in this day and age.

I went back to paper for one of my credit cards last year when their support failed to respond to my emails about their using decade-old ciphers and authentication. I've used the card for almost 35 years, so I didn't want to dump 'em altogether.

FYI for all: this is a really useful extension for Mozilla browsers.
https://github.com/sibiantony/ssleuth

Log in or Sign up

More OpenSSL security fixes

BoerenkoolMetWorst Registered Member

BoerenkoolMetWorst Registered Member

ronjor Global Moderator

ronjor Global Moderator

RockLobster Registered Member

elapsed Registered Member

RockLobster Registered Member

ronjor Global Moderator

summerheat Registered Member

BoerenkoolMetWorst Registered Member

RockLobster Registered Member

RockLobster Registered Member

BoerenkoolMetWorst Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

lotuseclat79 Registered Member

ronjor Global Moderator

ronjor Global Moderator

Palancar Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

itman Registered Member

haakon Guest

Log in or Sign up

More OpenSSL security fixes

BoerenkoolMetWorst Registered Member

BoerenkoolMetWorst Registered Member

ronjor Global Moderator

ronjor Global Moderator

RockLobster Registered Member

elapsed Registered Member

RockLobster Registered Member

ronjor Global Moderator

summerheat Registered Member

BoerenkoolMetWorst Registered Member

RockLobster Registered Member

RockLobster Registered Member

BoerenkoolMetWorst Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

lotuseclat79 Registered Member

ronjor Global Moderator

ronjor Global Moderator

Palancar Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

itman Registered Member

haakon Guest

Useful Searches