OpenSSL on a server configured with Kerberos ciphersuites denial of service

openssl-kerberos-ciphersuites-dos (15508)

Medium Risk

Description:

OpenSSL is vulnerable to a denial of service. If a server is configured to use Kerberos ciphersuites, a remote attacker can send a specially-crafted handshake to a server that uses the OpenSSL library to cause OpenSSL to crash.

Note: Any application that uses the OpenSSL's SSL/TLS library may be vulnerable.

Platforms Affected:

• Conectiva, Linux 8.0
• Conectiva, Linux 9.0
• Gentoo, Linux
• HP, HP-UX 11.00
• HP, HP-UX 11.11
• HP, HP-UX 11.22
• HP, HP-UX 11.23
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Linux 9.1
• MandrakeSoft, Mandrake Linux 9.1 PPC
• MandrakeSoft, Mandrake Linux 9.2
• MandrakeSoft, Mandrake Linux 9.2 AMD64
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• NetBSD, NetBSD 1.5
• NetBSD, NetBSD 1.5.1
• NetBSD, NetBSD 1.5.2
• NetBSD, NetBSD 1.5.3
• NetBSD, NetBSD 1.6
• NetBSD, NetBSD 1.6.1
• NetBSD, NetBSD 1.6.2
• NetBSD, NetBSD CURRENT
• OpenPKG, OpenPKG 1.3
• OpenPKG, OpenPKG 2.0
• OpenPKG, OpenPKG CURRENT
• OpenSSL, OpenSSL 0.9.7a
• OpenSSL, OpenSSL 0.9.7b
• OpenSSL, OpenSSL 0.9.7c
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 WS
• RedHat, Linux 9.0
• SCO, SCO OpenServer 5.0.6
• SCO, SCO OpenServer 5.0.7
• SCO, SCO UnixWare 7.1.1
• SCO, SCO UnixWare 7.1.3
• SGI, IRIX 6.5.20f
• SGI, IRIX 6.5.20m
• SGI, IRIX 6.5.21f
• SGI, IRIX 6.5.21m
• SGI, IRIX 6.5.22m
• SGI, IRIX 6.5.23m
• SGI, IRIX 6.5.24m
• Sun, Solaris 8
• Sun, Solaris 9
• SuSE, Linux Enterprise Server 8
• SuSE, SuSE eMail Server 3.1
• SuSE, SuSE eMail Server III
• SuSE, SuSE Linux 8.0
• SuSE, SuSE Linux 8.1
• SuSE, SuSE Linux 8.2
• SuSE, SuSE Linux 9.0
• SuSE, SuSE Linux Connectivity Server
• SuSE, SuSE Linux Database Server
• SuSE, SuSE Linux Enterprise Server 7.0
• SuSE, SuSE Linux Firewall
• SuSE, SuSE Linux Office Server
• Trustix, Secure Linux 1.5
• Trustix, Secure Linux 2.0
• Trustix, Secure Linux 2.1
• Turbolinux, Turbolinux 10 Desktop
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Advanced Server 6
• Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed
• Turbolinux, Turbolinux Server 6.1
• Turbolinux, Turbolinux Server 6.5
• Turbolinux, Turbolinux Workstation 6.0

Remedy:

Upgrade to the latest version of OpenSSL (0.9.7d or 0.9.6m), as listed in OpenSSL Security Advisory [17 March 2004]. See References.

Recompile applications that are statically linked to OpenSSL libraries.

For Mandrake Linux:
Upgrade to the latest openssl package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:023 : openssl for more information. See References.

Mandrake Linux 9.0: 0.9.6i-1.7.90mdk or later
Mandrake Linux 9.1: 0.9.7a-1.3.91mdk or later
Mandrake Linux 9.2: 0.9.7b-4.2.92mdk or later
Mandrake Linux Multi Network Firewall 8.2: 0.9.6i-1.6.M82mdk or later
Mandrake Linux Corporate Server 2.1: 0.9.6i-1.7.C21mdk or later

For Red Hat Linux 9:
Upgrade to the latest openssl package (0.9.7a-20.2 or later), as listed in RHSA-2004:121-01. See References.

For SuSE Linux:
Upgrade to the latest openssl package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2004:007 for more information. See References.

SuSE Linux 9.0 (Intel): 0.9.7b-133 or later
SuSE Linux 8.2: 0.9.6i-21 or later
SuSE Linux 8.1: 0.9.6g-114 or later
SuSE Linux 8.0: 0.9.6c-87 or later

For Gentoo Linux:
Upgrade to the latest version of openssl (0.9.7d or 0.9.6m or later), as listed in GLSA 200403-03. See References.

For Trustix Secure Linux:
Upgrade to the latest openssl package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0012 for more information. See References.

Trustix Secure Linux 1.5: 0.9.6-17tr or later
Trustix Secure Linux 2.0: 0.9.7c-2tr or later
Trustix Secure Linux 2.1: 0.9.7c-5tr or later

For Conectiva Linux:
Upgrade to the latest openssl package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:834 for more information. See References.

Conectiva Linux 8: 0.9.6c-2U80_8cl or later
Conectiva Linux 9: 0.9.7a-28910U90_2cl or later

For NetBSD-current (dated prior to 2004-22-03), 1.5, .6, and 2.0 branch:
Upgrade to the appropriate fixed versions of NetBSD, as listed in NetBSD Security Advisory 2004-005. See References.

For HP-UX:

Apply the update for this vulnerability, as listed in Hewlett-Packard Security Bulletin HPSBUX01019. See References.

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57571 for more information. See References.

SPARC Platform:
Sun Crypto Accelerator 4000 v1.0 (for Solaris 8 and Solaris 9) without patch 114796-04 or later

For SCO OpenServer 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2004.10.1. See References.

For SGI IRIX:
Upgrade to the latest version of IRIX, as listed in SGI Security Advisory 20041101-01-P. See References.

For SCO UnixWare 7.1.3:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.7. See References.

For SCO UnixWare 7.1.1:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.7. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.007 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

• CIAC Information Bulletin O-101, OpenSSL Denial of Service Vulnerability [REVISED 12 July 2004] at http://www.ciac.org/ciac/bulletins/o-101.shtml.
• CIAC Information Bulletin O-101, OpenSSL Denial of Service Vulnerability at http://www.ciac.org/ciac/bulletins/o-101.shtml.
• CIAC Information Bulletin P-276, Apple Security Update 2005-007 at http://www.ciac.org/ciac/bulletins/p-276.shtml.
• cisco-sa-20040317-openssl, Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability at http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml.
• Conectiva Linux Security Announcement CLSA-2004:834, openssl at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000834.
• GLSA 200403-03, Multiple OpenSSL Vulnerabilities at http://www.linuxsecurity.com/content/view/105856/104/. (From LinuxSecurity archive)
• NetBSD Security Advisory 2004-005, Denial of service vulnerabilities in OpenSSL at http://www.linuxsecurity.com/content/view/105972/107/.
• NISCC Vulnerability Advisory 224012, Vulnerability Issues in OpenSSL at http://www.uniras.gov.uk/niscc/docs/re-20040317-00389.pdf?lang=en.
• OpenSSL Security Advisory [17 March 2004], Updated versions of OpenSSL are now available which correct two security issues: at http://www.openssl.org/news/secadv_20040317.txt.
• SCO Security Advisory SCOSA-2004.10, OpenSSL Multiple Vulnerabilities at ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.10/SCOSA-2004.10.txt.
• SCO Security Advisory SCOSA-2004.10.1, OpenSSL Multiple Vulnerabilities at ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.10/SCOSA-2004.10.1.txt.
• SCO Security Advisory SCOSA-2005.7, OpenSSL Multiple Vulnerabilities at ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7/SCOSA-2005.7.txt.
• Sun Alert ID: 57524, Potential SSL Vulnerabilities in Sun Products at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57524&zone_32=security.
• Sun Alert ID: 57571, Sun Crypto Accelerator 4000 v1.0 Software May be Susceptible to OpenSSL Security Vulnerabilities at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57571&zone_32=security.
• Trustix Secure Linux Security Advisory #2004-0012, openssl at http://www.linuxsecurity.com/content/view/105859/109/.
• BID-14567: Apple Mac OS X Multiple Vulnerabilities
• BID-9899: OpenSSL Denial of Service Vulnerabilities
• CVE-2004-0112: The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.
• GLSA-200403-03: Multiple OpenSSL Vulnerabilities
• MDKSA-2004:023: Updated openssl packages fix multiple vulnerabilities
• OpenPKG-SA-2004.007: OpenSSL
• RHSA-2004-120: openssl security update
• RHSA-2004-121: Updated OpenSSL packages fix vulnerabilities
• SA11139: OpenSSL SSL/TLS Handshake Denial of Service Vulnerabilities
• SUSE-SA:2004:007: openssl: remote denial-of-service

Reported:

Mar 17, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page