000030212 - OpenSSL Security Advisory (March 2015 - including FREAK) for RSA Authentication Manager - Part 1

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000030212
Applies ToRSA Authentication Manager 7.1.4
RSA Authentication Manager Appliance 3.0.4
RSA Authentication Manager 8.1.1
OSrPath Linux
-or-
SUSE Linux Entrprise Server - SLES 11.3 with patches

 
CVE IDCVE-2015-0291, CVE-2015-0204, CVE-2015-0290, CVE-2015-0207, CVE-2015-0286, CVE-2015-0208, CVE-2015-0287
Scanning Tool and VersionNone - report based upon announced fixes from OpenSSL.
 
Article SummaryResponses related to OpenSSL security fixes released in March 2015 (including the reiterated FREAK vulnerability)
Link to AdvisoriesCVE-2015-0291 - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0204 - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0290 - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0207 - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0286 - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0208 - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0287 - https://www.openssl.org/news/secadv_20150319.txt
 
Alert ImpactNot Applicable
Technical DetailsFalse positive
Technical Details Explanation
IdentifierDescriptionDetails and Response
CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS
    
The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.
    
   CVSS v2 Base Score: 5.0
    
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
    
   Severity: High
    
   If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
   invalid signature algorithms extension a NULL pointer dereference will occur.
   This can be exploited in a DoS attack against the server.
    
   This issue affects OpenSSL version: 1.0.2
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist
   AM 3.0.4 Appliance and AM 8.1.1 - Does not use a vulnerable version of OpenSSL
    
    
CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA [Client] The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
    
   CVSS v2 Base Score: 4.3
    
   Note - This issue was reported earlier in OpenSSL’s January 2015 announcement but is reissued in their March 2015 announcement to update the “Severity” and description.  The new response replaces the earlier response.
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
    
   Severity: High
    
   This security issue was previously announced by the OpenSSL project and
   classified as "low" severity. This severity rating has now been changed to
   "high".
    
   This was classified low because it was originally thought that server RSA
   export ciphersuite support was rare: a client was only vulnerable to a MITM
   attack against a server which supports an RSA export ciphersuite. Recent
   studies have shown that RSA export ciphersuites support is far more common.
    
   This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist.
   AM 3.0.4 Appliance and AM 8.1.1 - The AM appliance is not a client for connections using OpenSSL. 
    
   OpenSSL (and other SSL implementations) when used on the client side of a connection would allow that client to accept an EXPORT level cipher even though the client did not request as EXPORT level ciphers as allowed. This is not an issue for AM since AM does not use OpenSSL for client connections.
    
   Also note - although not related to CVE-2015-0204 (the client-side vulnerability in OpenSSL) - the AM server (AM 7.1.4, AM 3.0.4 and AM 8.1.1) does not accept or create connections with any EXPORT level ciphers.  (A vulnerable client SSL implementation (such as the CVE-2015-0204 defect in OpenSSL) making a connection through a man-in-the-middle attacker to a server which allows the negotiation of EXPORT level ciphers is referred to as the “FREAK” vulnerability.)
    
    
CVE-2015-0290 - Multiblock corrupted pointer The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.
    
   CVSS v2 Base Score: 5.0
    
Multiblock corrupted pointer (CVE-2015-0290)
    
   Severity: Moderate
    
   OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI
   instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a
   potential DoS attack.
    
   This issue affects OpenSSL version: 1.0.2
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist
   AM 3.0.4 Appliance and AM 8.1.1 - Does not use a vulnerable version of OpenSSL
    
    
CVE-2015-0207 - Segmentation fault in DTLSv1_listen The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.
    
   CVSS v2 Base Score: 5.0
    
Segmentation fault in DTLSv1_listen (CVE-2015-0207)
    
   Severity: Moderate
    
   The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invocation to the next that can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server.
    
   This issue affects OpenSSL version: 1.0.2
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist
   AM 3.0.4 Appliance and AM 8.1.1 - Does not use a vulnerable version of OpenSSL
    
    
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.
    
   CVSS v2 Base Score: 5.0
    
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
    
   Severity: Moderate
    
   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
   certificate signature algorithm consistency this can be used to crash any
   certificate verification operation and exploited in a DoS attack. Any
   application which performs certificate verification is vulnerable including
   OpenSSL clients and servers which enable client authentication.
    
   This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist
   AM 3.0.4 Appliance and AM 8.1.1 - Does not use the OpenSSL to perform client validation of certificates.
    
CVE-2015-0208 - Segmentation fault for invalid PSS parametersThe ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.
    
   CVSS v2 Base Score: 4.3
Segmentation fault for invalid PSS parameters (CVE-2015-0208)
    
   Severity: Moderate
    
   The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.
    
   This issue affects OpenSSL version: 1.0.2
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist
   AM 3.0.4 Appliance and AM 8.1.1 - Does not use a vulnerable version of OpenSSL
    
CVE-2015-0287 - ASN.1 structure reuse memory corruption
    
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
    
   CVSS v2 Base Score: 5.0
    
ASN.1 structure reuse memory corruption (CVE-2015-0287)
    
   Severity: Moderate
    
   Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare.
    
   Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. Certificate parsing (d2i_X509 and related functions) are however not affected. OpenSSL clients and servers are not affected.
    
   This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
    
   Response: The flaw does not exist
   AM 3.0.4 Appliance and AM 8.1.1 - Does not use the OpenSSL ASN.1 parsing and reuse structures.
    

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes