[security-announce] Security Update: OpenSSL: Multiple CVE fixes

Sona Sarmadi sona.sarmadi at enea.com
Mon Sep 26 14:48:54 CEST 2016


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (OpenSSL 1.0.2h)
Severity: See below
Architecture: all
CVE Name: See below
====================================================================
Thise security update addresses following vulnerabilities in OpenL 1.0.2h:

CVE-2016-6306
CVE-2016-6304
CVE-2016-6303
CVE-2016-6302
CVE-2016-2182
CVE-2016-2181
CVE-2016-2180
CVE-2016-2179
CVE-2016-2178

Certificate message OOB reads (CVE-2016-6306)
=============================================
Severity: Low

In OpenSSL 1.0.2 and earlier some missing message length checks can
result in OOB reads of up to 2 bytes beyond an allocated buffer. There
is a theoretical DoS risk but this has not been observed in practice on
common platforms.

This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear
Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the
OpenSSL development team.

OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
=====================================================================
Severity: High

A malicious client can send an excessively large OCSP Status Request
extension. If that client continually requests renegotiation, sending a
large OCSP Status Request extension each time, then there will be
unbounded memory growth on the server. This will eventually lead to a
Denial Of Service attack through memory
exhaustion. Servers with a default configuration are vulnerable even if
they do not support OCSP. Builds using the "no-ocsp" build time option
are not affected.

This issue was reported to OpenSSL on 29th August 2016 by Shi Lei (Gear
Team, Qihoo 360 Inc.). The fix was developed by Matt Caswell of the
OpenSSLdevelopment team.


OOB write in MDC2_Update() (CVE-2016-6303)
==========================================
Severity: Low

An overflow can occur in MDC2_Update() either if called directly or
through the EVP_DigestUpdate() function using MDC2. If an attacker
is able to supply very large amounts of input data after a previous
call to EVP_EncryptUpdate() with a partial block then a length check
can overflow resulting in a heap corruption.

The amount of data needed is comparable to SIZE_MAX which is impractical
on most platforms.

This issue was reported to OpenSSL on 11th August 2016 by Shi Lei (Gear
Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the
OpenSSL development team.


Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================
Severity: Low

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to
a DoS attack where a malformed ticket will result in an OOB read which
willultimately crash.

The use of SHA512 in TLS session tickets is comparatively rare as it
requires a custom server callback and ticket lookup mechanism.

This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear
Team,Qihoo 360 Inc.). The fix was developed by Stephen Henson of the
OpenSSL development team.

OOB write in BN_bn2dec() (CVE-2016-2182)
========================================
Severity: Low

The function BN_bn2dec() does not check the return value of
BN_div_word(). This can cause an OOB write if an application uses this
function with an overly large BIGNUM. This could be a problem if an
overly large certificate or CRL is printed out from an untrusted source.
TLS is not affected because record limits will reject an oversized
certificate before it is parsed.

This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear
Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the
OpenSSL development team.

DTLS replay protection DoS (CVE-2016-2181)
==========================================
Severity: Low

A flaw in the DTLS replay attack protection mechanism means that records
that arrive for future epochs update the replay protection "window"
before the MAC for the record has been validated. This could be
exploited by an attacker by sending a record for the next epoch (which
does not have to decrypt or have a valid MAC), with a very large
sequence number. This means that all subsequent legitimate packets are
dropped causing a denial of service for a specific DTLS connection.

This issue was reported to OpenSSL on 21st November 2015 by the OCAP
audit team. The fix was developed by Matt Caswell of the OpenSSL
development team.


OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
==============================================
Severity: Low

The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value
is the total length the OID text representation would use and not the
amount of data written. This will result in OOB reads when large OIDs
are presented.

This issue was reported to OpenSSL on 21st July 2016 by Shi Lei (Gear
Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the
OpenSSL development team.

DTLS buffered message DoS (CVE-2016-2179)
=========================================
Severity: Low

In a DTLS connection where handshake messages are delivered out-of-order
those messages that OpenSSL is not yet ready to process will be buffered
for later use. Under certain circumstances, a flaw in the logic means
that those messages do not get removed from the buffer even though the
handshake has been completed.
An attacker could force up to approx. 15 messages to remain in the
buffer when they are no longer required. These messages will be cleared
when the DTLS connection is closed. The default maximum size for a
message is 100k.

This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The
fix was developed by Matt Caswell of the OpenSSL development team.

Constant time flag not preserved in DSA signing (CVE-2016-2178)
===============================================================
Severity: Low

Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

This issue was reported to OpenSSL on 23rd May 2016 by César Pereida
(Aalto University), Billy Brumley (Tampere University of Technology),
and Yuval Yarom (The University of Adelaide and NICTA). The fix was
developed by César Pereida.

Reference:
===========
https://www.openssl.org/news/secadv/20160922.txt


Correction for Enea Linux
=========================
CVE-2016-6306:http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=f73e0eb5d77764c00d6ae8db10528522fc8516bc

CVE-2016-6304:
http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=35f3007f0e0c56bc2f96ab5893686191d099949f

CVE-2016-6303:
http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=744b01090f6cf4984c11bb682693647a62103644

CVE-2016-6302:http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=8ac9ad185c0889af0bfb2fcd90a6987cb972eb0a

CVE-2016-2182:http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=c95a5d22dedc5701d18e91e40a0c54802915187d

CVE-2016-2181:
http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=f0e2e3d84763477138d902f7d48ac2658266aa2b

CVE-2016-2180:
http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=5493231d1ff5e9b259cd074245e909b5e39d926e

CVE-2016-2179:
http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=331ca6f05824e5b005cbf504233b3c72275181d5



CVE-2016-2178:
http://git.enea.com/cgit/linux/meta-el-common.git/patch/?id=ac47871dfb962355c3c8971cd2fde2e4d03c9790


How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for Enea Linux, follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo
$ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \
-b krogoth\
-m <manifest file>
$ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160926/e7c654d5/attachment.sig>


More information about the security-announce mailing list