000029492 - RSA Authentication Manager 7.1.4 - 8.1.1 Multiple Vulnerabilities (Jan2015-OpenSSL) Part-2 - False Positive

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000029492
Applies ToRSA Authentication Manager 7.1.4
RSA Authentication Manager Appliance 3.0.4
RSA Authentication Manager 8.1.1
 
OSrPath Linux
-or-
SUSE Linux Entrprise Server - SLES 11.3 with patches
CVE ID2015-0205, CVE-2014-8275, CVE-2014-3570, CVE-2014-3570
Article SummaryResponses related to OpenSSL security fixes released in January 2015
Plus an additional issue: Misfortune Cookie
Link to Advisories
Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details Explanation
IdentifierDescriptionDetails and Response
CVE-2015-0205 - DH client certificates accepted without verification [Server]The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
    
   CVSS v2 Base Score: 5.0
    
DH client certificates accepted without verification [Server] (CVE-2015-0205)
    
   Severity: Low
    
   An OpenSSL server will accept a DH certificate for client authentication
   without the certificate verify message. This effectively allows a client
   to authenticate without the use of a private key. This only affects servers
   which trust a client certificate authority which issues certificates
   containing DH keys: these are extremely rare and hardly ever encountered.
    
   This issue affects OpenSSL versions: 1.0.1 and 1.0.0.
    
   OpenSSL 1.0.1 users should upgrade to 1.0.1k.
   OpenSSL 1.0.0 users should upgrade to 1.0.0p.
    
   This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
   Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
   Henson of the OpenSSL core team.
    
    
   Response: The flaw does not exist
   AM 7.1.4 and AM 3.0.4 Appliance - Does not use a vulnerable version of OpenSSL
   AM 8.1.1 - OpenSSL connections to the AM 8.1 appliance do not use client authentication.
    
    
CVE-2014-8275 - Certificate fingerprints can be modifiedOpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
    
   CVSS v2 Base Score: 5.0
    
Certificate fingerprints can be modified (CVE-2014-8275)
    
   Severity: Low
    
   OpenSSL accepts several non-DER-variations of certificate signature
   algorithm and signature encodings. OpenSSL also does not enforce a
   match between the signature algorithm between the signed and unsigned
   portions of the certificate. By modifying the contents of the
   signature algorithm or the encoding of the signature, it is possible
   to change the certificate's fingerprint.
    
   This does not allow an attacker to forge certificates, and does not
   affect certificate verification or OpenSSL servers/clients in any
   other way. It also does not affect common revocation mechanisms. Only
   custom applications that rely on the uniqueness of the fingerprint
   (e.g. certificate blacklists) may be affected.
    
   This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and
   0.9.8.
    
   OpenSSL 1.0.1 users should upgrade to 1.0.1k.
   OpenSSL 1.0.0 users should upgrade to 1.0.0p.
   OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
    
   One variant of this issue was discovered by Antti Karjalainen and
   Tuomo Untinen from the Codenomicon CROSS program and reported to
   OpenSSL on 1st December 2014 by NCSC-FI Vulnerability
   Co-ordination. Another variant was independently reported to OpenSSL
   on 12th December 2014 by Konrad Kraszewski from Google. Further
   analysis was conducted and fixes were developed by Stephen Henson of
   the OpenSSL core team.
    
    
   Response: The flaw does not exist
   AM 7.1.4, AM 3.0.4 Appliance and AM 8.1.1 - Does not use OpenSSL openssl-blacklist or any similar validation in OpenSSL of certificates which would be impacted by this issue.
    
    
CVE-2014-3570 - Bignum squaring may produce incorrect results
    
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
    
   CVSS v2 Base Score: 5.0
   (with access complexity scored “low” by NVD due to insufficient information)
    
Bignum squaring may produce incorrect results (CVE-2014-3570)
    
   Severity: Low
    
   Bignum squaring (BN_sqr) may produce incorrect results on some
   platforms, including x86_64. This bug occurs at random with a very
   low probability, and is not known to be exploitable in any way, though
   its exact impact is difficult to determine. The following has been
   determined:
    
   *) The probability of BN_sqr producing an incorrect result at random
   is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
   1/2^128 on affected 64-bit platforms.
   *) On most platforms, RSA follows a different code path and RSA
   operations are not affected at all. For the remaining platforms
   (e.g. OpenSSL built without assembly support), pre-existing
   countermeasures thwart bug attacks [1].
   *) Static ECDH is theoretically affected: it is possible to construct
   elliptic curve points that would falsely appear to be on the given
   curve. However, there is no known computationally feasible way to
   construct such points with low order, and so the security of static
   ECDH private keys is believed to be unaffected.
   *) Other routines known to be theoretically affected are modular
   exponentiation, primality testing, DSA, RSA blinding, JPAKE and
   SRP. No exploits are known and straightforward bug attacks fail -
   either the attacker cannot control when the bug triggers, or no
   private key material is involved.
    
   This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
    
   OpenSSL 1.0.1 users should upgrade to 1.0.1k.
   OpenSSL 1.0.0 users should upgrade to 1.0.0p.
   OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
    
   This issue was reported to OpenSSL on 2nd November 2014 by Pieter Wuille
   (Blockstream) who also suggested an initial fix. Further analysis was
   conducted by the OpenSSL development team and Adam Langley of
   Google. The final fix was developed by Andy Polyakov of the OpenSSL
   core team.
    
   [1] http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
    
    
   Response: The flaw does not exist
   AM 7.1.4 - Does not use OpenSSL
   AM 3.0.4 Appliance - The single affected 32-bit platform is MIPS (not the AM 3.0.4 appliance which is X86_32).
    
   Response: The flaw exists but is not exploitable
   AM 8.1.1 - OpenSSL on x86_64 bit platforms is affected however the problem occurs at random with a very low probability and is not known to be exploitable.  Potential vulnerabilities are only theoretical with no feasible, known technique for triggering the bug.  The fix introduces a modified assembly code implementation for BIGNUM multiplication (which itself might introduce some risk).  While the OpenSSL code in AM 8.1 is theoretically vulnerable, we feel that the issue should actually have a CVSSv2 score closer to zero and do not suggest that the new code be adopted at this time.
    
    
And one more for Martin Ma (AM-28853) -
    
   CVE-2014-3570 - Misfortune Cookie
    
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
    
   CVSS v2 Base Score: 10.0
    
What is the Misfortune Cookie vulnerability?
    
   Researchers from Check Point’s Malware and Vulnerability Research Group recently uncovered this critical vulnerability present on millions of residential gateway (SOHO router) devices from different models and makers. It has been assigned the CVE-2014-9222 identifier. This severe vulnerability allows an attacker to remotely take over the device with administrative privileges.
    
   http://mis.fortunecook.ie/
    
    
   Response: The flaw does not exist
   AM 7.1.4, AM 3.0.4 Appliance and AM 8.1.1 - Does not use the AllegroSoft RomPager embedded web server.
    
    
NotesNote: AM 7.1.4 and AM 3.0.4 Appliance have reached the end of primary support.  AM 8.1 service pack SP1 contains the latest OS patches for the appliance (but built late last fall so it does not include the January OpenSSL updates).  The following are the CVE requested by the customers for AM 7.1.4 but I have also included the responses for AM 3.0.4 Appliance and AM 8.1.1 as well.  Descriptions and CVSSv2 scores are from the NVD.  Other information is from OpenSSL, etc.
 

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes