OpenSSL on a server configured with Kerberos ciphersuites denial of service

openssl-kerberos-ciphersuites-dos (15508)

Medium Risk

Description:

OpenSSL is vulnerable to a denial of service. If a server is configured to use Kerberos ciphersuites, a remote attacker can send a specially-crafted handshake to a server that uses the OpenSSL library to cause OpenSSL to crash.

Note: Any application that uses the OpenSSL's SSL/TLS library may be vulnerable.

Consequences:

Denial of Service

Remedy:

Upgrade to the latest version of OpenSSL (0.9.7d or 0.9.6m), as listed in OpenSSL Security Advisory [17 March 2004]. See References.

Recompile applications that are statically linked to OpenSSL libraries.

For Mandrake Linux:
Upgrade to the latest openssl package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:023 : openssl for more information. See References.

Mandrake Linux 9.0: 0.9.6i-1.7.90mdk or later
Mandrake Linux 9.1: 0.9.7a-1.3.91mdk or later
Mandrake Linux 9.2: 0.9.7b-4.2.92mdk or later
Mandrake Linux Multi Network Firewall 8.2: 0.9.6i-1.6.M82mdk or later
Mandrake Linux Corporate Server 2.1: 0.9.6i-1.7.C21mdk or later

For Red Hat Linux 9:
Upgrade to the latest openssl package (0.9.7a-20.2 or later), as listed in RHSA-2004:121-01. See References.

For SuSE Linux:
Upgrade to the latest openssl package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2004:007 for more information. See References.

SuSE Linux 9.0 (Intel): 0.9.7b-133 or later
SuSE Linux 8.2: 0.9.6i-21 or later
SuSE Linux 8.1: 0.9.6g-114 or later
SuSE Linux 8.0: 0.9.6c-87 or later

For Gentoo Linux:
Upgrade to the latest version of openssl (0.9.7d or 0.9.6m or later), as listed in GLSA 200403-03. See References.

For Trustix Secure Linux:
Upgrade to the latest openssl package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0012 for more information. See References.

Trustix Secure Linux 1.5: 0.9.6-17tr or later
Trustix Secure Linux 2.0: 0.9.7c-2tr or later
Trustix Secure Linux 2.1: 0.9.7c-5tr or later

For Conectiva Linux:
Upgrade to the latest openssl package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:834 for more information. See References.

Conectiva Linux 8: 0.9.6c-2U80_8cl or later
Conectiva Linux 9: 0.9.7a-28910U90_2cl or later

For NetBSD-current (dated prior to 2004-22-03), 1.5, .6, and 2.0 branch:
Upgrade to the appropriate fixed versions of NetBSD, as listed in NetBSD Security Advisory 2004-005. See References.

For HP-UX:

Apply the update for this vulnerability, as listed in Hewlett-Packard Security Bulletin HPSBUX01019. See References.

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57571 for more information. See References.

SPARC Platform:
Sun Crypto Accelerator 4000 v1.0 (for Solaris 8 and Solaris 9) without patch 114796-04 or later

For SCO OpenServer 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2004.10.1. See References.

For SGI IRIX:
Upgrade to the latest version of IRIX, as listed in SGI Security Advisory 20041101-01-P. See References.

For SCO UnixWare 7.1.3:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.7. See References.

For SCO UnixWare 7.1.1:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.7. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.007 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• CIAC Information Bulletin O-101: OpenSSL Denial of Service Vulnerability [REVISED 12 July 2004].
• CIAC Information Bulletin O-101: OpenSSL Denial of Service Vulnerability.
• CIAC Information Bulletin P-276: Apple Security Update 2005-007.
• cisco-sa-20040317-openssl: Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability.
• Conectiva Linux Security Announcement CLSA-2004:834: openssl.
• GLSA 200403-03: Multiple OpenSSL Vulnerabilities. (From LinuxSecurity archive)
• NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL.
• NISCC Vulnerability Advisory 224012: Vulnerability Issues in OpenSSL.
• OpenSSL Security Advisory [17 March 2004]: Updated versions of OpenSSL are now available which correct two security issues:.
• SCO Security Advisory SCOSA-2004.10: OpenSSL Multiple Vulnerabilities.
• SCO Security Advisory SCOSA-2004.10.1: OpenSSL Multiple Vulnerabilities.
• SCO Security Advisory SCOSA-2005.7: OpenSSL Multiple Vulnerabilities.
• Sun Alert ID: 57524: Potential SSL Vulnerabilities in Sun Products.
• Sun Alert ID: 57571: Sun Crypto Accelerator 4000 v1.0 Software May be Susceptible to OpenSSL Security Vulnerabilities.
• Trustix Secure Linux Security Advisory #2004-0012: openssl.
• BID-14567: Apple Mac OS X Multiple Vulnerabilities
• BID-9899: OpenSSL Denial of Service Vulnerabilities
• CVE-2004-0112: The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.
• GLSA-200403-03: Multiple OpenSSL Vulnerabilities
• MDKSA-2004:023: Updated openssl packages fix multiple vulnerabilities
• OpenPKG-SA-2004.007: OpenSSL
• RHSA-2004-120: openssl security update
• RHSA-2004-121: Updated OpenSSL packages fix vulnerabilities
• SA11139: OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities
• SUSE-SA:2004:007: openssl: remote denial-of-service

Platforms Affected:

• Conectiva Linux 8.0
• Conectiva Linux 9.0
• Gentoo Linux
• HP HP-UX 11.00
• HP HP-UX 11.11
• HP HP-UX 11.22
• HP HP-UX 11.23
• MandrakeSoft Mandrake Linux 9.0
• MandrakeSoft Mandrake Linux 9.1 PPC
• MandrakeSoft Mandrake Linux 9.1
• MandrakeSoft Mandrake Linux 9.2
• MandrakeSoft Mandrake Linux 9.2 AMD64
• MandrakeSoft Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Multi Network Firewall 8.2
• NetBSD NetBSD 1.5
• NetBSD NetBSD 1.5.1
• NetBSD NetBSD 1.5.2
• NetBSD NetBSD 1.5.3
• NetBSD NetBSD 1.6
• NetBSD NetBSD 1.6.1
• NetBSD NetBSD 1.6.2
• NetBSD NetBSD CURRENT
• Novell SuSE Linux Enterprise Server 7.0
• OpenPKG OpenPKG 1.3
• OpenPKG OpenPKG 2.0
• OpenPKG OpenPKG CURRENT
• OpenSSL OpenSSL 0.9.7a
• OpenSSL OpenSSL 0.9.7b
• OpenSSL OpenSSL 0.9.7c
• RedHat Enterprise Linux 3 Desktop
• RedHat Enterprise Linux 3 AS
• RedHat Enterprise Linux 3 ES
• RedHat Enterprise Linux 3 WS
• RedHat Linux 9.0
• SCO SCO OpenServer 5.0.6
• SCO SCO OpenServer 5.0.7
• SCO SCO UnixWare 7.1.1
• SCO SCO UnixWare 7.1.3
• SGI IRIX 6.5.20f
• SGI IRIX 6.5.20m
• SGI IRIX 6.5.21f
• SGI IRIX 6.5.21m
• SGI IRIX 6.5.22m
• SGI IRIX 6.5.23m
• SGI IRIX 6.5.24m
• Sun Solaris 8
• Sun Solaris 9
• SuSE Linux Enterprise Server 8
• SuSE SuSE eMail Server 3.1
• SuSE SuSE eMail Server III
• SUSE SuSE Linux 8.0
• SUSE SuSE Linux 8.1
• SUSE SuSE Linux 8.2
• SUSE SuSE Linux 9.0
• SuSE SuSE Linux Connectivity Server
• SuSE SuSE Linux Database Server
• SuSE SuSE Linux Firewall
• SuSE SuSE Linux Office Server
• Trustix Secure Linux 1.5
• Trustix Secure Linux 2.0
• Trustix Secure Linux 2.1
• Turbolinux Turbolinux 10 Desktop
• Turbolinux Turbolinux 7 Server
• Turbolinux Turbolinux 7 Workstation
• Turbolinux Turbolinux 8 Server
• Turbolinux Turbolinux 8 Workstation
• Turbolinux Turbolinux Advanced Server 6
• Turbolinux Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux Turbolinux Appliance Server 1.0 Workgroup Ed
• Turbolinux Turbolinux Server 6.1
• Turbolinux Turbolinux Server 6.5
• Turbolinux Turbolinux Workstation 6.0

Reported:

Mar 17, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page