[security-announce] Critical OpenSSL Security Advisory

Sona Sarmadi sona.sarmadi at enea.com
Thu Oct 16 18:12:57 CEST 2014


===================================================================

Enea Security Advisory

Product: OpenSSL

Severity: Critical

Issue date: 2014-10-16

CVE Names: CVE-2014-3566, CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568

===================================================================



Following security patches that fixes SSLv3 vulnerabilities;

CVE-2014-3566, CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568,

is now available on http://linux.enea.com/4.0/patches/ folder.



0001-Fix-for-OpenSSL-CVE-2014-3566.patch

0002-Fix-for-OpenSSL-CVE-2014-3513.patch

0003-Fix-for-OpenSSL-CVE-2014-3567.patch

0004-Fix-for-OpenSSL-CVE-2014-3568.patch



These patches address the following vulnerabilities:



CVE-2014-3566<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566>

========================================

OpenSSL: SSLv3 POODLE vulnerability



The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other

products, uses nondeterministic CBC padding, which makes it easier

for man-in-the-middle attackers to obtain cleartext data via a

padding-oracle attack, aka the "POODLE" issue.



CVE-2014-3513<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513>

========================================

OpenSSL: SRTP Memory Leak



A flaw in the DTLS SRTP extension parsing code allows an attacker, who

sends a carefully crafted handshake message, to cause OpenSSL to fail

to free up to 64k of memory causing a memory leak. This could be

exploited in a Denial Of Service attack. This issue affects OpenSSL

1.0.1 server implementations for both SSL/TLS and DTLS regardless of

whether SRTP is used or configured. Implementations of OpenSSL that

have been compiled with OPENSSL_NO_SRTP defined are not affected.



CVE-2014-3567<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567>

========================================

OpenSSL: session tickets memory leak



When an OpenSSL SSL/TLS/DTLS server receives a session ticket the

integrity of that ticket is first verified. In the event of a session

ticket integrity check failing, OpenSSL will fail to free memory

causing a memory leak. By sending a large number of invalid session

tickets an attacker could exploit this issue in a Denial Of Service

attack.



CVE-2014-3568<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568>

========================================

OpenSSL: Fix no-ssl3 configuration option, CVE-2014-3568

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the

integrity of that ticket is first verified. In the event of a session

ticket integrity check failing, OpenSSL will fail to free memory

causing a memory leak. By sending a large number of invalid session

tickets an attacker could exploit this issue in a Denial Of Service

attack.



References

==========

https://www.openssl.org/news/secadv_20141015.txt

https://www.openssl.org/~bodo/ssl-poodle.pdf



Contact info

=========

If you have any questions regarding the security patches and security updates please contact sona.sarmadi at enea.com or security at enea.com.





Sona Sarmadi

-----------------

ESRT (Enea Security Response Team)

Software Engineer/Security Responsible for Enea Linux

Enea

Jan Stenbecks torg 17,

Box 1033, SE-164 21 Kista, Sweden

Direct: +46 8 5071  4475

Mobile: +46 70 971 4475

sona.sarmadi at enea.com

www.enea.com



This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20141016/1d2cce1b/attachment.html>


More information about the security-announce mailing list