ID

VAR-201408-0081

CVE

CVE-2014-3511

TITLE

OpenSSL CVE-2014-3511 Man in the Middle Security Bypass Vulnerability

DESCRIPTION

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. OpenSSL is prone to security-bypass vulnerability. Successfully exploiting these issues may allow attackers to perform unauthorized actions by conducting a man-in-the-middle attack. This may lead to other attacks. OpenSSL 1.0.1 versions prior to 1.0.1i are vulnerable. - The Bash Shell vulnerability known as "Shellshock" which could be exploited remotely resulting in Denial of Service (DoS) or execution of code. References: CVE-2009-3555 Unauthorized Modification CVE-2014-0160 Heartbleed - Disclosure of Information CVE-2014-0195 Remote Code Execution, Denial of Service (DoS) CVE-2014-3505 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3506 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3507 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3508 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3509 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3510 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3511 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3512 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3566 POODLE - Remote Disclosure of Information CVE-2014-5139 Shellshock - Remote Denial of Service (DoS) SSRT101846 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:18.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-09-09 Affects: All supported versions of FreeBSD. Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE) 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8) 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE) 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1) 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11) 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18) 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE) 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15) CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510, CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506] The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507] A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508] OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510] The following problems affect FreeBSD 10.0-RELEASE and later: If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. [CVE-2014-3511] A malicious client or server can send invalid SRP parameters and overrun an internal buffer. [CVE-2014-3512] A malicious server can crash the client with a NULL pointer dereference by specifying a SRP ciphersuite even though it was not properly negotiated with the client. [CVE-2014-5139] III. Impact A remote attacker may be able to cause a denial of service (application crash, large memory consumption), obtain additional information, cause protocol downgrade. Additionally, a remote attacker may be able to run arbitrary code on a vulnerable system if the application has been set up for SRP. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc # gpg --verify openssl-10.0.patch.asc [FreeBSD 9.3] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc [FreeBSD 9.2, 9.1, 8.4] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r269687 releng/8.4/ r271305 stable/9/ r269687 releng/9.1/ r271305 releng/9.2/ r271305 releng/9.3/ r271305 stable/10/ r269686 releng/10.0/ r271304 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://www.openssl.org/news/secadv_20140806.txt> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512> <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139> The latest revision of this advisory is available at <URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:18.openssl.asc> -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUDtUBAAoJEO1n7NZdz2rnOUoP/jNoEEPVt1RoVPQoOQc6vno5 2HXcCDsu0ql3kCNIIZ7E6TddfduzV04EMzBrIgulg7eXft+Lnx6HlEgJOo7QLImc aWLWxjcbyby6wrbYOc+FLK11yx9/uZJF0VCdSeyzhy0EFD3tOZPsDMXKZmG7FRkg 6A7ENJU25Mx8V1myzHw/VfDwAHCtXHliFVVE0CUku55pYnlhMeetu/wuB6KYbmgV 1WUamiHEGl4Dh4Up7nGHYYm32kqZLaE+cf1Ovc2VGT98ZyXmCgDB4+8kkA/HZxxp DRgQlojeQhahee5MmzD+wMJXlq6dekoo+JVf22+Nb+oNmlKT6/UxtUhCwW11MLUV rnOMr3u1JCNvBc+3KroSmtFeEtqh7jx3Ag4w8lS5mJO+wX1/lilbsFxSS/9G65fy LqHUQSxkuDJ1bNzPfKreBPyUmQlG5t/3DonIDCF9r3sefDN+kxqe1+RwjdNRM0ov V7OH/AW1NBQtV/F/h0tKCcskvcJo9Q+inAohheLPnWkFj7F2tLNt5TAxsGy7WvFZ MuQSAXpZkdh7OkhAhBM3Xk+EOv7Qk7zZL5HJ1Lpm6kfJ8wSb4etoUV7oELaDMBz8 +9r+Vr9GtjSsec2a4tjNIixZKV9bzEhgKP5gsWD/JewhAzF+0bYNa9snOWxzpAYb j+eW9IT7pEAJK9DtIsDd =f4To -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04576624 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04576624 Version: 1 HPSBMU03267 rev.1 - HP Matrix Operating Environment and HP CloudSystem Matrix running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-03-09 Last Updated: 2015-03-09 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the HP Matrix Operating Environment and HP CloudSystem Matrix running OpenSSL. These vulnerabilities comprise the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. References: CVE-2014-3508 CVE-2014-3509 CVE-2014-3511 CVE-2014-3513 CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 CVE-2014-5139 SSRT101894 SSRT101916 SSRT101918 SSRT101920 SSRT101921 SSRT101922 SSRT101923 SSRT101925 SSRT101926 SSRT101927 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Matrix Operating Environment and HP CloudSystem Matrix impacted software components and versions HP CloudSystem Matrix (CSM) v7.2.0, v7.2.1, v7.2.2, v7.2.3, v7.3.0, v7.3.1, v 7.3.2, v 7.4.0 HP Matrix Operating Environment (MOE) v7.2.0, v7.2.1, v7.2.2, v7.3.0, v7.3.1, v7.3.2 and v7.4.0 HP Storage Provisioning Manager (SPM) v2.2.0, v2.2.2, v2.3.0, v2.3.2 and v2.4.0 for Windows HP Systems Insight Manager (SIM) v7.2.0, v7.2.1, v7.2.2, v7.3.0, v7.3.1 and v7.4.0 for Linux and Windows HP System Management Homepage (SMH) v7.2, v7.2.1, v7.2.2, v7.3.0, v7.3.1, v7.3.2, v7.3.3 and v7.4.0 for Linux and Windows HP Version Control Agent (VCA) v7.2.0, v7.2.2, v7.3.0, v7.3.1, v7.3.2 and v7.3.3 for Windows HP Version Control Agent (VCA) v7.2.0, v7.2.2(A), v7.3.0, v7.3.2 and v7.3.3 for Linux HP Version Control Repository Manager (VCRM) v7.2.0, v7.2.2, v7.3.0, v7.3.1, v7.3.2, v7.3.3, v7.3.4 and v7.4.0 for Windows HP Version Control Repository Manager (VCRM) v7.2.0, v7.3.4, and v7.4.0 for Linux HP Virtual Connect Enterprise Manager (VCEM) SDK prior to v7.4.1 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-3508 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-3509 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-3511 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-3513 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1 CVE-2014-3566 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2014-3567 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1 CVE-2014-3568 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-5139 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has released the following software updates to resolve these vulnerabilities in the HP Matrix Operating Environment 7.2. The HP Matrix Operating Environment v7.2.3 Update kit applicable to HP Matrix Operating Environment 7.2.x installations is available at the following location: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =HPID NOTE: Please read the readme.txt file before proceeding with the installation. HP has addressed these vulnerabilities for the impacted software components bundled with HP Matrix Operating Environment in the following HP Security Bulletins: HP Matrix Operating Environment software components HP Security Bulletin Security Bulletin Location HP Systems Insight Manager (SIM) HPSBMU03261 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04571454 HP System Management Homepage (SMH) HPSBMU03260 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04571379 HP Version Control Agent (VCA) HPSBMU03262 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04571956 HP Version Control Repository Manager (VCRM) HPSBMU03259 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04570627 HP Storage Provisioning Manager (SPM) HPSBST03257 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04568546 HP Virtual Connect Enterprise Manager (VCEM) SDK HPSBMU03283 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04587108 HISTORY Version:1 (rev.1) - 9 March 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

AFFECTED PRODUCTS