===============================

OpenSSL – The Open Source toolkit for SSL/TLS http://www.openssl.org/

The OpenSSL project team has announced the release of version 1.0.0d of their open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see

http://www.openssl.org/source/exp/CHANGES.

The most significant changes are:

o Fix for security issue CVE-2011-0014 [http://www.openssl.org/news/secadv_20110208.txt]

OCSP stapling vulnerability in OpenSSL

======================================

Incorrectly formatted ClientHello handshake messages could cause OpenSSL to parse past the end of the message.

This issue applies to the following versions:

1) OpenSSL 0.9.8h through 0.9.8q

2) OpenSSL 1.0.0 through 1.0.0c

The parsing function in question is already used on arbitary data so no

additional vulnerabilities are expected to be uncovered by this.

However, an attacker may be able to cause a crash (denial of service) by

triggering invalid memory accesses.

The results of the parse are only availible to the application using

OpenSSL so do not directly cause an information leak. However, some

applications may expose the contents of parsed OCSP extensions,

specifically an OCSP nonce extension. An attacker could use this to read

the contents of memory following the ClientHello.

Users of OpenSSL should update to the OpenSSL 1.0.0d (or 0.9.8r) release,

which contains a patch to correct this issue. If upgrading is not

immediately possible, the source code patch provided in this advisory

should be applied.

Neel Mehta (Google) identified the vulnerability. Adam Langley and

Bodo Moeller (Google) prepared the fix.

Which applications are affected

- ——————————-

Applications are only affected if they act as a server and call

SSL_CTX_set_tlsext_status_cb on the server’s SSL_CTX. This includes

Apache httpd >= 2.3.3.

Patch

- —–

- --- ssl/t1_lib.c      25 Nov 2010 12:28:28 -0000    1.64.2.17

+++ ssl/t1_lib.c  8 Feb 2011 00:00:00 -0000

@@ -917,6 +917,7 @@

}

n2s(data, idsize);

dsize -= 2 + idsize;

+                             size -= 2 + idsize;

if (dsize < 0)

{

*al = SSL_AD_DECODE_ERROR;

@@ -955,9 +956,14 @@

}

/* Read in request_extensions */

+                       if (size < 2)

+                             {

+                             *al = SSL_AD_DECODE_ERROR;

+                             return 0;

+                             }

n2s(data,dsize);

size -= 2;

- -                     if (dsize > size)

+                       if (dsize != size)

{

*al = SSL_AD_DECODE_ERROR;

return 0;

References

- ———-

This vulnerability is tracked as CVE-2011-0014.

URL for this Security Advisory:

http://www.openssl.org/news/secadv_20110208.txt

OCSP stapling is defined in RFC 2560.

A flaw has been found in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections.

The OpenSSL security team would like to thank Martin Rex for reporting this issue.

This vulnerability is tracked as CVE-2010-4180

OpenSSL JPAKE validation error

Sebastian Martini found an error in OpenSSL’s J-PAKE implementation which could lead to successful validation by someone with no knowledge of the shared secret. This error is fixed in 1.0.0c. Details of the problem can be found here:

http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

Note that the OpenSSL Team still consider our implementation of J-PAKE to be experimental and is not compiled by default.

This issue is tracked as CVE-2010-4252

Who is affected?

All versions of OpenSSL contain the ciphersuite downgrade vulnerability.

Any OpenSSL based SSL/TLS server is vulnerable if it uses OpenSSL’s internal caching mechanisms and the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this by using the SSL_OP_ALL option).

Users of OpenSSL 0.9.8j or later who do not enable weak ciphersuites are still vulnerable but the bug has no security implications as the attacker can only change from one strong ciphersuite to another.

All users of OpenSSL’s experimental J-PAKE implementation are vulnerable to the J-PAKE validation error.

Recommendations for users of OpenSSL

Users of all OpenSSL 0.9.8 releases including 0.9.8p should update to the OpenSSL 0.9.8q release which contains a patch to correct this issue.

Alternatively do not set the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG and/or SSL_OP_ALL flags.

Users of OpenSSL 1.0.0 releases should update to the OpenSSL 1.0.0c release which contains a patch to correct this issue and also contains a corrected version of the CVE-2010-3864 vulnerability fix.

If upgrading is not immediately possible, the relevant source code patch provided in this advisory should be applied.

Any user of OpenSSL’s J-PAKE implementaion (which is not compiled in by default) should upgrade to OpenSSL 1.0.0c.

Patch

Index: ssl/s3_clnt.c

===================================================================

RCS file: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v

retrieving revision 1.129.2.16

diff -u -r1.129.2.16 s3_clnt.c

- --- ssl/s3_clnt.c     10 Oct 2010 12:33:10 -0000    1.129.2.16

+++ ssl/s3_clnt.c 24 Nov 2010 14:32:37 -0000

@@ -866,8 +866,11 @@

s->session->cipher_id = s->session->cipher->id;

if (s->hit && (s->session->cipher_id != c->id))

{

+/* Workaround is now obsolete */

+#if 0

if (!(s->options &

SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))

+#endif

{

al=SSL_AD_ILLEGAL_PARAMETER;

SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);

Index: ssl/s3_srvr.c

===================================================================

RCS file: /v/openssl/cvs/openssl/ssl/s3_srvr.c,v

retrieving revision 1.171.2.22

diff -u -r1.171.2.22 s3_srvr.c

- --- ssl/s3_srvr.c     14 Nov 2010 13:50:29 -0000    1.171.2.22

+++ ssl/s3_srvr.c 24 Nov 2010 14:34:28 -0000

@@ -985,6 +985,10 @@

break;

}

}

+/* Disabled because it can be used in a ciphersuite downgrade

+ * attack: CVE-2010-4180.

+ */

+#if 0

if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))

{

/* Special case as client bug workaround: the previously used cipher may

@@ -999,6 +1003,7 @@

j = 1;

}

}

+#endif

if (j == 0)

{

/* we need to have the cipher in the cipher

The most significant changes are:

o Fix for security issue CVE-2010-4180

o Fix for CVE-2010-4252

The most significant changes are:

o Fix for security issue CVE-2010-4180

o Fix for CVE-2010-4252

o Fix mishandling of absent EC point format extension.

o Fix various platform compilation issues.

o Corrected fix for security issue CVE-2010-3864.

A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack.

The OpenSSL security team would like to thank Rob Hulswit for reporting this issue.

The fix was developed by Dr Stephen Henson of the OpenSSL core team.

This vulnerability is tracked as CVE-2010-3864

Who is affected?

All versions of OpenSSL supporting TLS extensions contain this vulnerability including OpenSSL 0.9.8f through 0.9.8o, 1.0.0, 1.0.0a releases.

Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL’s internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.

Recommendations for users of OpenSSL

Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should update to the OpenSSL 0.9.8p release which contains a patch to correct this issue.

Users of OpenSSL 1.0.0 and 1.0.0a should update to the OpenSSL 1.0.0b release which contains a patch to correct this issue.

If upgrading is not immediately possible, the relevant source code patch provided in this advisory should be applied.

Patch for OpenSSL 0.9.8 releases

================================

Index: ssl/t1_lib.c

===================================================================

RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v

retrieving revision 1.13.2.27

diff -u -r1.13.2.27 t1_lib.c

- — ssl/t1_lib.c      12 Jun 2010 13:18:58 -0000    1.13.2.27

+++ ssl/t1_lib.c  15 Nov 2010 15:20:14 -0000

@@ -432,14 +432,23 @@

switch (servname_type)

{

case TLSEXT_NAMETYPE_host_name:

- -                           if (s->session->tlsext_hostname == NULL)

+                             if (!s->hit)

{

- -                                 if (len > TLSEXT_MAXLEN_host_name ||

- -                                       ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))

+                                   if(s->session->tlsext_hostname)

+                                         {

+                                         *al = SSL_AD_DECODE_ERROR;

+                                         return 0;

+                                         }

+                                   if (len > TLSEXT_MAXLEN_host_name)

{

*al = TLS1_AD_UNRECOGNIZED_NAME;

return 0;

}

+                                   if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)

+                                         {

+                                         *al = TLS1_AD_INTERNAL_ERROR;

+                                         return 0;

+                                         }

memcpy(s->session->tlsext_hostname, sdata, len);

s->session->tlsext_hostname[len]=’\0′;

if (strlen(s->session->tlsext_hostname) != len) {

@@ -452,7 +461,8 @@

}

else

- -                                 s->servername_done = strlen(s->session->tlsext_hostname) == len

+                                   s->servername_done = s->session->tlsext_hostname

+                                         && strlen(s->session->tlsext_hostname) == len

&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;

break;

Patch for OpenSSL 1.0.0 releases

================================

Index: ssl/t1_lib.c

===================================================================

RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v

retrieving revision 1.64.2.14

diff -u -r1.64.2.14 t1_lib.c

- — ssl/t1_lib.c      15 Jun 2010 17:25:15 -0000    1.64.2.14

+++ ssl/t1_lib.c  15 Nov 2010 15:26:19 -0000

@@ -714,14 +714,23 @@

switch (servname_type)

{

case TLSEXT_NAMETYPE_host_name:

- -                           if (s->session->tlsext_hostname == NULL)

+                             if (!s->hit)

{

- -                                 if (len > TLSEXT_MAXLEN_host_name ||

- -                                       ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))

+                                   if(s->session->tlsext_hostname)

+                                         {

+                                         *al = SSL_AD_DECODE_ERROR;

+                                         return 0;

+                                         }

+                                   if (len > TLSEXT_MAXLEN_host_name)

{

*al = TLS1_AD_UNRECOGNIZED_NAME;

return 0;

}

+                                   if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)

+                                         {

+                                         *al = TLS1_AD_INTERNAL_ERROR;

+                                         return 0;

+                                         }

memcpy(s->session->tlsext_hostname, sdata, len);

s->session->tlsext_hostname[len]=’\0′;

if (strlen(s->session->tlsext_hostname) != len) {

@@ -734,7 +743,8 @@

}

else

- -                                 s->servername_done = strlen(s->session->tlsext_hostname) == len

+                                   s->servername_done = s->session->tlsext_hostname

+                                         && strlen(s->session->tlsext_hostname) == len

&& strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;

break;

@@ -765,15 +775,22 @@

*al = TLS1_AD_DECODE_ERROR;

return 0;

}

- -               s->session->tlsext_ecpointformatlist_length = 0;

- -               if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);

- -               if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)

+                 if (!s->hit)

{

- -                     *al = TLS1_AD_INTERNAL_ERROR;

- -                     return 0;

+                       if(s->session->tlsext_ecpointformatlist)

+                             {

+                             *al = TLS1_AD_DECODE_ERROR;

+                             return 0;

+                             }

+                       s->session->tlsext_ecpointformatlist_length = 0;

+                       if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)

+                             {

+                             *al = TLS1_AD_INTERNAL_ERROR;

+                             return 0;

+                             }

+                       s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

+                       memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

}

- -               s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;

- -               memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);

#if 0

fprintf(stderr,”ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) “, s->session->tlsext_ecpointformatlist_length);

sdata = s->session->tlsext_ecpointformatlist;

@@ -794,15 +811,22 @@

*al = TLS1_AD_DECODE_ERROR;

return 0;

}

- -               s->session->tlsext_ellipticcurvelist_length = 0;

- -               if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);

- -               if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)

+                 if (!s->hit)

{

- -                     *al = TLS1_AD_INTERNAL_ERROR;

- -                     return 0;

+                       if(s->session->tlsext_ellipticcurvelist)

+                             {

+                             *al = TLS1_AD_DECODE_ERROR;

+                             return 0;

+                             }

+                       s->session->tlsext_ellipticcurvelist_length = 0;

+                       if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)

+                             {

+                             *al = TLS1_AD_INTERNAL_ERROR;

+                             return 0;

+                             }

+                       s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;

+                       memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);

}

- -               s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;

- -               memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);

#if 0

fprintf(stderr,”ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) “, s->session->tlsext_ellipticcurvelist_length);

sdata = s->session->tlsext_ellipticcurvelist;

References

URL for this Security Advisory: http://www.openssl.org/news/secadv_20101116.txt

This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864.

For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.

This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864.

For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.

OpenSSL 1.0.0a is considered to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.0a is available for

download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html):