TUCoPS :: Web :: General :: bt1249.txt

CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations


CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS

   Original issue date: October 1, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * OpenSSL versions prior to 0.9.7c and 0.9.6k
     * Multiple SSL/TLS implementations
     * SSLeay library


   There are multiple vulnerabilities in different implementations of the
   Secure   Sockets  Layer  (SSL)  and  Transport  Layer  Security  (TLS)
   protocols.  These  vulnerabilities  occur primarily in Abstract Syntax
   Notation  One  (ASN.1)  parsing code. The most serious vulnerabilities
   may  allow  a  remote  attacker  to execute arbitrary code. The common
   impact is denial of service.

I. Description

   SSL  and  TLS  are  used  to  provide  authentication, encryption, and
   integrity  services to higher-level network applications such as HTTP.
   Cryptographic   elements   used   by  the  protocols,  such  as  X.509
   certificates, are represented as ASN.1 objects. In order to encode and
   decode   these   objects,   many  SSL  and  TLS  implementations  (and
   cryptographic libraries) include ASN.1 parsers.

   OpenSSL is a widely-deployed open source implementation of the SSL and
   TLS  protocols.  OpenSSL also provides a general-purpose cryptographic
   library that includes an ASN.1 parser.

   The U.K. National Infrastructure Security Co-ordination Centre (NISCC)
   has   developed   a  test  suite  to  analyze  the  way  SSL  and  TLS
   implementations  handle  exceptional ASN.1 objects contained in client
   and  server  certificate  messages. Although the test suite focuses on
   certificate  messages,  any  untrusted ASN.1 element may be used as an
   attack  vector.  An advisory from OpenSSL describes as vulnerable "Any
   application  that  makes  use  of  OpenSSL's  ASN1  library  to  parse
   untrusted data. This includes all SSL or TLS applications, those using
   S/MIME (PKCS#7) or certificate generation routines."

   There are two certificate message attack vectors. An attacker can send
   crafted client certificate messages to a server, or attempt to cause a
   client  to  connect to a server under the attacker's control. When the
   client connects, the attacker can deliver a crafted server certificate
   message.  Note that the standards for TLS (RFC 2246) and SSL 3.0 state
   that  a  client  certificate  message  "...is  only sent if the server
   requests a certificate." To reduce exposure to these types of attacks,
   an   SSL/TLS  server  should  ignore  unsolicited  client  certificate
   messages (VU#732952).

   NISCC  has  published  two  advisories  describing  vulnerabilities in
   OpenSSL    (006489/OpenSSL)    and   other   SSL/TLS   implementations
   (006489/TLS).  The  second advisory covers multiple vulnerabilities in
   many  vendors'  products.  Further  details,  including  vendor status
   information, are available in the following vulnerability notes.

    VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation
    A vulnerability  in  the way OpenSSL deallocates memory used to store
    ASN.1 structures  could  allow a remote attacker to execute arbitrary
    code with the privileges of the process using the OpenSSL library.
    (Other resources: NISCC/006490/OpenSSL/3, OpenSSL #1, CAN-2003-0545)

    VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1)
    An integer  overflow  vulnerability  in the way OpenSSL handles ASN.1
    tags could allow a remote attacker to cause a denial of service.
    (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0543)

    VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2)
    A second  integer  overflow  vulnerability in the way OpenSSL handles
    ASN.1 tags could allow a remote attacker to cause a denial of service.
    (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0544)

    VU#686224 -  OpenSSL does not securely handle invalid public key when
    configured to ignore errors
    A vulnerability  in  the  way  OpenSSL handles invalid public keys in
    client certificate  messages could allow a remote attacker to cause a
    denial of service. This vulnerability requires as a precondition that
    an  application  is  configured  to ignore public key decoding errors,
    which is not typically the case on production systems.
    (Other resources: NISCC/006490/OpenSSL/2, OpenSSL #3)

    VU#732952 - OpenSSL accepts unsolicited client certificate messages
    OpenSSL accepts  unsolicited  client certificate messages. This could
    allow an  attacker  to exploit underlying flaws in client certificate
    handling, such as the vulnerabilities listed above.
    (Other resources: OpenSSL #4)

    VU#104280 - Multiple vulnerabilities in SSL/TLS implementations
    Multiple  vulnerabilities   exist   in   different  vendors'  SSL/TLS
    implementations. The  impacts of these vulnerabilities include remote
    execution of  arbitrary  code,  denial  of service, and disclosure of
    sensitive  information.   VU#104280   covers   an  undefined  set  of
    vulnerabilities  that   affect   SSL/TLS  implementations  from  many
    different vendors.
    (Other resources: NISCC/006490/TLS)

II. Impact

   The  impacts  of  these  vulnerabilities vary. In almost all, a remote
   attacker   could   cause  a  denial  of  service.  For  at  least  one
   vulnerability in OpenSSL (VU#935264), a remote attacker may be able to
   execute  arbitrary  code.  Please see Appendix A, the Systems Affected
   section of VU#104280, and the OpenSSL vulnerability notes for details.

III. Solution

Upgrade or apply a patch

   To  resolve  the OpenSSL vulnerabilities, upgrade to OpenSSL 0.9.7c or
   OpenSSL 0.9.6k. Alternatively, upgrade or apply a patch as directed by
   your  vendor. Recompile any applications that are statically linked to
   OpenSSL libraries.

   For  solutions  for  the  other  SSL/TLS  vulnerabilities  covered  by
   VU#104280,  please  see Appendix A and the Systems Affected section of

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information, this section is updated, and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have  not  received  their  authenticated,  direct  statement. Further
   vendor  information  is  available in the Systems Affected sections of
   the vulnerability notes listed above.

AppGate Network Security AB

     The  default  configuration  of  AppGate is not vulnerable. However
     some  extra  functionality which administrators can enable manually
     may  cause  the system to become vulnerable. For more details check
     the AppGate support pages at http://www.appgate.com/support.

Apple Computer Inc.

     Apple:  Vulnerable.  This  is  fixed  in  Mac  OS X 10.2.8 which is
     available from http://www.apple.com/support/


     Clavister Firewall: Not vulnerable
     As of version 8.3, Clavister Firewall implements an optional HTTP/S
     server  for  purposes  of  user authentication. However, since this
     implementation  does  not  support  client  certificates and has no
     ASN.1 parser code, there can be no ASN.1-related vulnerabilities as
     far as SSL is concerned.

     Earlier  versions  of  Clavister  Firewall do not implement any SSL

Cray Inc.

     Cray  Inc.  supports  OpenSSL  through its Cray Open Software (COS)
     package.  The OpenSSL version in COS 3.4 and earlier is vulnerable.
     Spr 726919 has been opened to address this.

F5 Networks

     F5  products  BIG-IP,  3-DNS, ISMan and Firepass are vulnerable. F5
     will  have ready security patches for each of these products. Go to
     ask.f5.com  for  the appropriate security response instructions for
     your product.


     Hitachi Web Server is NOT Vulnerable to this issue.


     The  AIX  Security  Team  is  aware of the issues discussed in CERT
     Vulnerability  Notes VU#255484, VU#380864, VU#686224, VU#935264 and

     OpenSSL  is available for AIX via the AIX Toolbox for Linux. Please
     note that the Toolbox is made available "as-is" and is unwarranted.
     The  Toolbox  ships  with OpenSSL 0.9.6g which is vulnerable to the
     issues  referenced  above.  A  patched  version  of OpenSSL will be
     provided  shortly and this vendor statement will be updated at that

     Please  note  that  OpenSSH,  which  is  made available through the
     Expansion Pack is not vulnerable to these issues.

     IBM eServer Platform Response
     For information related to this and other published CERT Advisories
     that  may  relate  to  the IBM eServer Platforms (xSeries, iSeries,
     pSeries, and zSeries) please go to

     In  order  to  access  this information you will require a Resource
     Link    ID.    To    subscribe    to    Resource    Link    go   to
     http://app-06.www.ibm.com/servers/resourcelink and follow the steps
     for registration.

     All questions should be refered to servsec@us.ibm.com.

Ingrian Networks

     Ingrian  Networks  is  aware  of this vulnerablity and will issue a
     security advisory when our investigation is complete.

Juniper Networks

     The  OpenSSL  code  included in domestic versions of JUNOS Internet
     Software  that  runs  on  all  M-series  and  T-series  routers  is
     susceptible  to  these vulnerabilities. The SSL library included in
     Releases  2.x  and  3.x  of  SDX provisioning software for E-series
     routers is susceptible to these vulnerabilities.

     Solution Implementation
     Corrections  for  all the above vulnerabilities are included in all
     versions  of  JUNOS  built  on  or after October 2, 2003. Customers
     should  contact Juniper Networks Technical Assistance Center (JTAC)
     for instructions on obtaining and installing the corrected code.
     SDX  software  built  on  or  after  October  2,  2003, contain SSL
     libraries  with  corrected  code.  Contact JTAC for instructions on
     obtaining and installing the corrected code.


     The   vulnerabilities   referenced  by  VU#255484,  VU#380864,  and
     VU#935264   have   been  corrected  by  packages  released  in  our
     MDKSA-2003:098 advisory.

NEC Corporation

     Subject: VU#104280
     sent on October 1, 2003

     [Server Products]
     * EWS/UP 48 Series operating system
       - is NOT vulnerable.
       It doesn't include SSL/TLS implementation.


     Novell  is reviewing our application portfolio to identify products
     affected  by the vulnerabilities reported by the NISCC. We have the
     patched  OpenSSL  code and are reviewing and testing it internally,
     and preparing patches for our products that are affected. We expect
     the  first  patches to become available via our Security Alerts web
     site (http://support.novell.com/security-alerts) during the week of
     6 Oct 2003. Customers are urged to monitor our web site for patches
     to   versions  of  our  products  that  they  use  and  apply  them


     Please see OpenSSL Security Advisory [30 September 2003].

Openwall GNU/*/Linux

     Openwall  GNU/*/Linux  currently uses OpenSSL 0.9.6 branch and thus
     was  affected  by the ASN.1 parsing and client certificate handling
     vulnerabilities pertaining to those versions of OpenSSL. It was not
     affected   by   the   potentially  more  serious  incorrect  memory
     deallocation  vulnerability  (VU#935264, CVE CAN-2003-0545) that is
     specific to OpenSSL 0.9.7.

     Owl-current  as  of  2003/10/01 has been updated to OpenSSL 0.9.6k,
     thus correcting the vulnerabilities.

Red Hat

     Red  Hat  distributes  OpenSSL  0.9.6  in  various  Red  Hat  Linux
     distributions  and  with  the Stronghold secure web server. Updated
     packages  which  contain  backported  patches  for these issues are
     available  along with our advisories at the URL below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Enterprise Linux:

     Red Hat Linux 7.1, 7.2, 7.3, 8.0:

     Stronghold 4 cross-platform:

     Red  Hat  distributes  OpenSSL  0.9.7  in  Red Hat Linux 9. Updated
     packages  which  contain  backported  patches  for these issues are
     available  along  with  our advisory at the URL below. Users of the
     Red Hat Network can update their systems using the 'up2date' tool.

     Red Hat Linux 9:

Riverstone Networks

     Riverstone Networks routers are not vulnerable.


     We are aware of the issue and are diligently working on a fix.


     SGI acknowledges receiving the vulnerabilities reported by CERT and
     NISCC.  CAN-2003-0543  [VU#255484],  CAN-2003-0544  [VU#380864] and
     CAN-2003-0545  [VU#935264]  have  been  addressed  by  SGI Security
     Advisory 20030904-01-P:


     No further information is available at this time.

     For  the  protection  of  all our customers, SGI does not disclose,
     discuss  or  confirm vulnerabilities until a full investigation has
     occurred  and  any  necessary  patch(es)  or  release  streams  are
     available  for  all vulnerable and supported SGI operating systems.
     Until SGI has more definitive information to provide, customers are
     encouraged  to  assume  all security vulnerabilities as exploitable
     and  take  appropriate  steps  according  to  local  site  security
     policies   and   requirements.   As   further  information  becomes
     available,  additional advisories will be issued via the normal SGI
     security  information  distribution  methods  including the wiretap
     mailing list on http://www.sgi.com/support/security/


     Stonesoft  has  published  a  security  advisory that addresses the
     issues in vulnerability notes VU#255484 and VU#104280. The advisory
     is at http://www.stonesoft.com/document/art/3040.html


     Stunnel  requires  the OpenSSL libraries for compilation (POSIX) or
     OpenSSL  DLLs for runtime operation (Windows). While Stunnel itself
     is  not  vulnerable,  it's  dependence  on  OpenSSL means that your
     installation likely is vulnerable.

     If  you  compile  from source, you need to install a non-vulnerable
     version of OpenSSL and recompile Stunnel.

     If  you  use the compiled Windows DLLs from stunnel.org, you should
     download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs
     are available at

     No  new  version  of  Stunnel  source  or  executable  will be made
     available,  because  the  problems  are  inside  OpenSSL -- Stunnel
     itself does not have the vulnerability.


     All  SuSE  products  are affected. Update packages are being tested
     and will be published on Wednesday, October 1st.


     None   the   VanDyke   Software   products  are  subject  to  these
     vulnerabilities  due  to  the  fact that OpenSSL is not used in any
     VanDyke products.

Appendix B. References

     * CERT/CC Vulnerability Note VU#935264 -
     * CERT/CC Vulnerability Note VU#255484 -
     * CERT/CC Vulnerability Note VU#380864 -
     * CERT/CC Vulnerability Note VU#686224 -
     * CERT/CC Vulnerability Note VU#732952 -
     * CERT/CC Vulnerability Note VU#104280 -
     * OpenSSL Security Advisory [30 September 2003] -
     * NISCC Vulnerability Advisory 006489/OpenSSL -
     * NISCC Vulnerability Advisory 006489/TLS -
     * ITU ASN.1 documentation -


   NISCC  discovered  and researched these vulnerabilities; this document
   is  based  on their work. We would like to thank Stephen Henson of the
   OpenSSL  project  and  the  Oulu  University  Secure Programming Group
   (OUSPG) for their previous work in this area.

   Feedback can be directed to the author, Art Manion.

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from


   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site


   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   October 1, 2003: Initial release

Version: PGP 6.5.8


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH