000034493 - RSA Authentication Manager 8.2 Multiple OpenSSL Vulnerabilities - False Positive

• CVE-2016-7054 - ChaCha20/Poly1305 heap-buffer-overflow
• CVE-2016-7053 - CMS Null dereference
• CVE-2016-7055 - Montgomery multiplication may produce incorrect results

CVE-2016-7054

Description

ChaCha20/Poly1305 heap-buffer-overflow

TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.

Impacts OpenSSL versions 1.1.0 less than 1.1.0c

Response

The flaw does not exist

This issue does not affect OpenSSL versions prior to 1.1.0. The RSA Authentication Manager appliance 8.2 does not use a vulnerable version of OpenSSL.

CVE-2016-7053

Description

CMS Null dereference

Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.

Impacts OpenSSL versions 1.1.0 less than 1.1.0c

Response

The flaw does not exist

This issue does not affect OpenSSL versions prior to 1.1.0. The RSA Authentication Manager appliance 8.2 does not use a vulnerable version of OpenSSL.

CVE-2016-7055

Description

Montgomery multiplication may produce incorrect results

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely, multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.

CVSS3 Base Score 3.7 (Estimated by Red Hat)
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low severity of this defect we are not issuing a new 1.0.2 release at this time.

Response:

The flaw exists and is not exploitable under the default configuration.

As the OpenSSL group points out, this impacts Elliptical Curve operations for key negotiation but only if multiple clients are connecting and choosing the same curve. This also requires, as a prerequisite, that a non-default feature of AM be enabled and configured in a manner which allows the attacker’s client to connect at the same time as the valid client. (The configuration to allow external TLS connections to the database through OpenSSL requires that the admin performing the configuration specify the IP addresses which are allowed to connect. If this optional feature is enabled, only the IP of the valid client system should be configured.)

Note

The OpenSSL group is not currently providing a fix for this issue (due to its low severity).  See their comment in the description and at their announcement: https://www.openssl.org/news/secadv/20161110.txt

Note

The optional connections for read-only users in RSA Authentication Manager 8.2 do not actually make use of SSL/TLS until a non-SSL/TLS connection is created as a prerequisite to the TLS negotiation request and this initial connection is limited to only the specific configured client system IPs.  The client tools which customers use for these connections should be configured to not require the mentioned Brainpool P-512 curves (which would normally not be in use by default anyway).