000034493 - RSA Authentication Manager 8.2 Multiple OpenSSL Vulnerabilities - False Positive

Document created by RSA Customer Support Employee on Dec 9, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034493
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.2

 


CVE IDCVE-2016-7053, CVE-2016-7054, CVE-2016-7055
Article SummaryInformation requested by RSA Customer Support regarding the impact of certain vulnerabilities announced by the openssl.org group in November 2016.  See: https://www.openssl.org/news/secadv/20161110.txt
  • CVE-2016-7054 - ChaCha20/Poly1305 heap-buffer-overflow
  • CVE-2016-7053 - CMS Null dereference
  • CVE-2016-7055 - Montgomery multiplication may produce incorrect results
 
Link to Advisorieshttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7053
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7054
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7055
Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details Explanation

CVE-2016-7054

Description

ChaCha20/Poly1305 heap-buffer-overflow

TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.

Impacts OpenSSL versions 1.1.0 less than 1.1.0c

Response

The flaw does not exist

This issue does not affect OpenSSL versions prior to 1.1.0. The RSA Authentication Manager appliance 8.2 does not use a vulnerable version of OpenSSL.


CVE-2016-7053

Description

CMS Null dereference

Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.

Impacts OpenSSL versions 1.1.0 less than 1.1.0c

Response

The flaw does not exist

This issue does not affect OpenSSL versions prior to 1.1.0. The RSA Authentication Manager appliance 8.2 does not use a vulnerable version of OpenSSL.


CVE-2016-7055

Description

Montgomery multiplication may produce incorrect results

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely, multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.

CVSS3 Base Score 3.7 (Estimated by Red Hat)
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low severity of this defect we are not issuing a new 1.0.2 release at this time.

Response:

The flaw exists and is not exploitable under the default configuration.

As the OpenSSL group points out, this impacts Elliptical Curve operations for key negotiation but only if multiple clients are connecting and choosing the same curve. This also requires, as a prerequisite, that a non-default feature of AM be enabled and configured in a manner which allows the attacker’s client to connect at the same time as the valid client. (The configuration to allow external TLS connections to the database through OpenSSL requires that the admin performing the configuration specify the IP addresses which are allowed to connect. If this optional feature is enabled, only the IP of the valid client system should be configured.)

Note

The OpenSSL group is not currently providing a fix for this issue (due to its low severity).  See their comment in the description and at their announcement: https://www.openssl.org/news/secadv/20161110.txt

Note

The optional connections for read-only users in RSA Authentication Manager 8.2 do not actually make use of SSL/TLS until a non-SSL/TLS connection is created as a prerequisite to the TLS negotiation request and this initial connection is limited to only the specific configured client system IPs.  The client tools which customers use for these connections should be configured to not require the mentioned Brainpool P-512 curves (which would normally not be in use by default anyway). 

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes