269 lines
11 KiB
Text
269 lines
11 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-16:26.openssl Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Multiple OpenSSL vulnerabilities
|
|
|
|
Category: contrib
|
|
Module: openssl
|
|
Announced: 2016-09-23; revised on 2016-09-26
|
|
Credits: OpenSSL Project
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2016-09-22 14:57:48 UTC (stable/11, 11.0-STABLE)
|
|
2016-09-22 15:55:27 UTC (releng/11.0, 11.0-RELEASE)
|
|
2016-09-22 15:05:38 UTC (stable/10, 10.3-STABLE)
|
|
2016-09-26 08:21:29 UTC (releng/10.3, 10.3-RELEASE-p9)
|
|
2016-09-26 08:21:29 UTC (releng/10.2, 10.2-RELEASE-p22)
|
|
2016-09-26 08:21:29 UTC (releng/10.1, 10.1-RELEASE-p39)
|
|
2016-09-26 08:19:33 UTC (stable/9, 9.3-STABLE)
|
|
2016-09-26 08:21:29 UTC (releng/9.3, 9.3-RELEASE-p47)
|
|
CVE Name: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180,
|
|
CVE-2016-2181, CVE-2016-2182, CVE-2016-6302, CVE-2016-6303,
|
|
CVE-2016-6304, CVE-2016-6306
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
0. Revision history
|
|
|
|
v1.0 2016-09-23 Initial release.
|
|
v1.1 2016-09-26 Revised patch to address a regression in CVE-2016-2182 fix.
|
|
|
|
I. Background
|
|
|
|
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
|
|
a collaborative effort to develop a robust, commercial-grade, full-featured
|
|
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
|
|
and Transport Layer Security (TLS v1) protocols as well as a full-strength
|
|
general purpose cryptography library.
|
|
|
|
II. Problem Description
|
|
|
|
A malicious client can send an excessively large OCSP Status Request extension.
|
|
If that client continually requests renegotiation, sending a large OCSP Status
|
|
Request extension each time, then there will be unbounded memory growth on the
|
|
server. [CVE-2016-6304]
|
|
|
|
An overflow can occur in MDC2_Update() either if called directly or through
|
|
the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply
|
|
very large amounts of input data after a previous call to EVP_EncryptUpdate()
|
|
with a partial block then a length check can overflow resulting in a heap
|
|
corruption. [CVE-2016-6303]
|
|
|
|
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
|
|
DoS attack where a malformed ticket will result in an OOB read which will
|
|
ultimately crash. [CVE-2016-6302]
|
|
|
|
The function BN_bn2dec() does not check the return value of BN_div_word().
|
|
This can cause an OOB write if an application uses this function with an
|
|
overly large BIGNUM. This could be a problem if an overly large certificate
|
|
or CRL is printed out from an untrusted source. TLS is not affected because
|
|
record limits will reject an oversized certificate before it is parsed.
|
|
[CVE-2016-2182]
|
|
|
|
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
|
|
the total length the OID text representation would use and not the amount
|
|
of data written. This will result in OOB reads when large OIDs are presented.
|
|
[CVE-2016-2180]
|
|
|
|
Some calculations of limits in OpenSSL have used undefined pointer arithmetic.
|
|
This could cause problems with some malloc implementations. [CVE-2016-2177]
|
|
|
|
Operations in the DSA signing algorithm should run in constant time in order to
|
|
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
|
|
a non-constant time codepath is followed for certain operations. [CVE-2016-2178]
|
|
|
|
In a DTLS connection where handshake messages are delivered out-of-order those
|
|
messages that OpenSSL is not yet ready to process will be buffered for later
|
|
use. Under certain circumstances, a flaw in the logic means that those messages
|
|
do not get removed from the buffer even though the handshake has been completed.
|
|
An attacker could force up to approx. 15 messages to remain in the buffer when
|
|
they are no longer required. These messages will be cleared when the DTLS
|
|
connection is closed. The default maximum size for a message is 100k. Therefore
|
|
the attacker could force an additional 1500k to be consumed per connection.
|
|
[CVE-2016-2179]
|
|
|
|
A flaw in the DTLS replay attack protection mechanism means that records that
|
|
arrive for future epochs update the replay protection "window" before the MAC
|
|
for the record has been validated. This could be exploited by an attacker by
|
|
sending a record for the next epoch (which does not have to decrypt or have a
|
|
valid MAC), with a very large sequence number. This means that all subsequent
|
|
legitimate packets are dropped causing a denial of service for a specific
|
|
DTLS connection. [CVE-2016-2181]
|
|
|
|
In OpenSSL 1.0.2 and earlier some missing message length checks can result in
|
|
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
|
|
DoS risk but this has not been observed in practice on common platforms.
|
|
[CVE-2016-6306]
|
|
|
|
III. Impact
|
|
|
|
A remote attacker can cause OpenSSL server, regardless whether OCSP is supported,
|
|
to have unbounded memory growth, and eventually lead to a Denial of Service.
|
|
[CVE-2016-6304]
|
|
|
|
If an attacker is able to supply very large amounts of input data after a previous
|
|
call to EVP_EncryptUpdate() with a partial block then a length check can overflow
|
|
resulting in a heap corruption. [CVE-2016-6303]
|
|
|
|
An attacker who can send a malformed ticket to the server can cause an OOB read
|
|
which will ultimately lead to a crash, resulting in a Denial of Service.
|
|
[CVE-2016-6302]
|
|
|
|
A local attacker can cause an application that parses overly large certificate or
|
|
CRL to crash. TLS is not affected. [CVE-2016-2182]
|
|
|
|
A local attacker who can create a specially-crafted time stamp file and pass it
|
|
through the "ts" command of openssl(1) can cause it to crash. This functionality
|
|
is not used by the SSL/TLS implementation. [CVE-2016-2180]
|
|
|
|
Some OpenSSL code is questionable to integer overflow, which may lead to heap
|
|
corruption. [CVE-2016-2177]
|
|
|
|
An attacker may recover the private DSA key by conducting timing attack.
|
|
[CVE-2016-2178]
|
|
|
|
A remote attacker may cause a DTLS server to exhaust memory, resulting in a
|
|
Denial of Service. [CVE-2016-2179]
|
|
|
|
A remote attacker who can send DTLS records can cause the server to drop all
|
|
subsequent packets for a specific connection. [CVE-2016-2181]
|
|
|
|
A remote attacker can, in theory, cause OOB reads if the server enabled client
|
|
authentication. [CVE-2016-6306]
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date.
|
|
|
|
Restart all daemons that use the library, or reboot the system.
|
|
|
|
2) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Restart all daemons that use the library, or reboot the system.
|
|
|
|
3) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
[FreeBSD 10.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.3.patch.asc
|
|
# gpg --verify openssl-10.3.patch.asc
|
|
|
|
[FreeBSD 10.1 and 10.2]
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.2.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.2.patch.asc
|
|
# gpg --verify openssl-10.2.patch.asc
|
|
|
|
[FreeBSD 9.3]
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-9.3.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-9.3.patch.asc
|
|
# gpg --verify openssl-9.3.patch.asc
|
|
|
|
For all releases, additionally, apply the openssl-fix.patch:
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-fix.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-fix.patch.asc
|
|
# gpg --verify openssl-fix.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile the operating system using buildworld and installworld as
|
|
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
|
|
|
|
Restart all daemons that use the library, or reboot the system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/9/ r306335
|
|
releng/9.3/ r306336
|
|
stable/10/ r306196
|
|
releng/10.1/ r306336
|
|
releng/10.2/ r306336
|
|
releng/10.3/ r306336
|
|
stable/11/ r306195
|
|
releng/11.0/ r306198
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://www.openssl.org/news/secadv/20160922.txt>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v2.1.13 (FreeBSD)
|
|
|
|
iQIcBAEBCgAGBQJX6NvHAAoJEO1n7NZdz2rncwEP/3E3/QSGoSuhh7nqj3mzpSEl
|
|
YYVB2B6HrxOa99b6rDT8lnnbdkE+Z409C8PP/gM/86WsMJXRrYbB2Dvnpt2hdMI6
|
|
SK94iydp4/QEoahi3DqaiuvO0xfDonUVK/XM+HD2+OGnf5XhRJrXN72aYauK2TEw
|
|
3U58NWqdkHKyLMb9Xw6oOeoexOl7rbzvxB1M1Idsb5+mcs4/n9MHfLPPYDMZdGmc
|
|
XNuHzafINU4RD6ewZXmCjzZ2v4vlN6UJwoCdvm8NmG+2SGTqC+F/eldNFXuDuThz
|
|
DODYpyfg6LjkxeY+P4eG8BMM1grrf1K0/HAaDx3h+F/H/XrxP2gNQfXPxK9HSddL
|
|
eFWspWdRfJBydM4zrB8ndu/xmgfuCkgfrOgYU6z9eSLarmElM25Wic4+PiU0DXOq
|
|
tHoL3k6B8sEio19Jh2ggdrZJBDM+BzlDqXve3Z1t9lY9DVZbcNe1xWJ7SreBQfXl
|
|
n0r3LKLXxaFq014gb4/MV503XAn1P6Q87nL8wzkm9Z1qIHlJPt6Igrl+A5LcQ589
|
|
nW35xpeco8vFG0C6AmUk1cY14nZdZ/OjIEM4zGTd7oXRZRK6VFHJssTl0qJ/KLb1
|
|
rssl78ffhonLwFLLUzAGQlzYXYspz0ySwsrECcebOTzKzFUC9V0hcBuRMIwlAn5g
|
|
aqC0mYXivXqtV/cgdYL/
|
|
=3i9P
|
|
-----END PGP SIGNATURE-----
|