The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: Man-in-the-Middle via X509_V_FLAG_X509_STRICT

Synthesis of the vulnerability 

An attacker can act as a Man-in-the-Middle via X509_V_FLAG_X509_STRICT on OpenSSL, in order to read or write data in the session.
Impacted systems: Cisco ASR, AsyncOS, IOS XR Cisco, Meraki MS***, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco Router, Cisco UCS, Cisco Unified CCX, Cisco IP Phone, Cisco WSA, Fedora, FreeBSD, hMailServer, IBM i, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, VirtualBox, Percona Server, pfSense, Puppet, Python, RHEL, SIMATIC, stunnel, Nessus.
Severity of this alert: 2/4.
Creation date: 25/03/2021.
Références of this alert: 6443733, CERTFR-2021-AVI-221, CERTFR-2021-AVI-235, cisco-sa-openssl-2021-GHY28dJd, cpuapr2021, CVE-2021-3450, FEDORA-2021-c11da301be, FEDORA-2021-d049f32a82, FEDORA-2021-d934acdb42, FEDORA-2021-f347d1c866, FreeBSD-SA-21:07.openssl, RHSA-2021:1024-01, SB10356, SSB-439005, TNS-2021-05, VIGILANCE-VUL-34943.

Description of the vulnerability 

An attacker can act as a Man-in-the-Middle via X509_V_FLAG_X509_STRICT on OpenSSL, in order to read or write data in the session.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security note impacts software or systems such as Cisco ASR, AsyncOS, IOS XR Cisco, Meraki MS***, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco Router, Cisco UCS, Cisco Unified CCX, Cisco IP Phone, Cisco WSA, Fedora, FreeBSD, hMailServer, IBM i, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, VirtualBox, Percona Server, pfSense, Puppet, Python, RHEL, SIMATIC, stunnel, Nessus.

Our Vigil@nce team determined that the severity of this threat announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this computer weakness announce.

Solutions for this threat 

OpenSSL: version 1.1.1k.
The version 1.1.1k is fixed:
  https://www.openssl.org/source/

Cisco: solution for OpenSSL.
The solution is indicated in information sources.

Fedora 32-33: new nodejs packages.
New packages are available:
  Fedora 32: nodejs 12.22.1-1.fc32
  Fedora 33: nodejs 14.16.1-1.fc33

Fedora 32: new openssl packages.
New packages are available:
  Fedora 32: openssl 1.1.1k-1.fc32

Fedora 33: new openssl packages.
New packages are available:
  Fedora 33: openssl 1.1.1k-1.fc33

FreeBSD: patch for OpenSSL.
A patch is available:
  https://security.FreeBSD.org/patches/SA-21:07/openssl-12.patch

hMailServer: new 5.6.8 Build 2538 packages.
New packages are available:
  https://www.hmailserver.com/download

IBM i: patch for OpenSSL.
A patch is indicated in information sources.

McAfee Web Gateway: versions 8.2.19, 9.2.10 and 10.1.1.
Versions 8.2.19, 9.2.10 and 10.1.1 are fixed:
  https://www.mcafee.com/us/downloads/downloads.aspx

Node Core: version 10.24.1.
The version 10.24.1 is fixed:
  https://nodejs.org/en/blog/release/v10.24.1/

Node Core: version 12.22.1.
The version 12.22.1 is fixed:
  https://nodejs.org/en/blog/release/v12.22.1/

Node Core: version 14.16.1.
The version 14.16.1 is fixed:
  https://nodejs.org/en/blog/release/v14.16.1/

Node Core: version 15.14.0.
The version 15.14.0 is fixed:
  https://nodejs.org/en/blog/release/v15.14.0/

Oracle MySQL: version 5.7.34.
The version 5.7.34 is fixed:
  https://support.oracle.com/rs?type=doc&id=2764660.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.24.
The version 8.0.24 is fixed:
  https://support.oracle.com/rs?type=doc&id=2764660.1
  https://www.mysql.com/fr/downloads/
  https://dev.mysql.com/downloads/mysql/

Oracle VM VirtualBox: version 6.1.20.
The version 6.1.20 is fixed:
  https://www.virtualbox.org/wiki/Downloads

Percona Server: version 5.7.34-37.
The version 5.7.34-37 is fixed:
  https://www.percona.com/

pfSense: version 2.5.1.
The version 2.5.1 is fixed:
  https://www.netgate.com/blog/pfsense-plus-21-02-2-release-and-pfsense-ce-2-5-1-release-now-available.html

Puppet Platform: version 6.22.1.
The version 6.22.1 is fixed.

Python: version 3.8.9.
The version 3.8.9 is fixed:
  https://www.python.org/downloads/release/python-389/

Python: version 3.9.3.
The version 3.9.3 is fixed:
  https://www.python.org/downloads/release/python-393/

RHEL 8.3: new openssl packages.
New packages are available:
  RHEL 8.3: openssl 1.1.1g-15.el8_3

SIMATIC S7-1500 CPU 1518: workaround for GNU/Linux Vulnerabilities.
A workaround is indicated in the information source.

stunnel: version 5.59.
The version 5.59 is fixed:
  https://www.stunnel.org/downloads.html

Tenable Nessus: version 8.13.2.
The version 8.13.2 is fixed:
  https://www.tenable.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities alerts. The technology watch team tracks security threats targeting the computer system.