The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: NULL pointer dereference via SSL_MODE_RELEASE_BUFFERS

Synthesis of the vulnerability 

An attacker can dereference a NULL pointer in OpenSSL applications using SSL_MODE_RELEASE_BUFFERS, in order to trigger a denial of service.
Vulnerable systems: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FreeBSD, ProCurve Switch, HP Switch, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, stunnel, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity of this threat: 3/4.
Creation date: 02/05/2014.
Revisions dates: 02/05/2014, 05/06/2014.
Références of this weakness: 3321, aid-06062014, c04347622, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CTX140876, CVE-2014-0198, DOC-53313, DSA-2931-1, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FreeBSD-SA-14:10.openssl, HPSBHF03052, JSA10629, MDVSA-2014:080, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0634-1, openSUSE-SU-2014:0635-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SOL15329, SSA:2014-156-03, SSA-234763, USN-2192-1, VIGILANCE-VUL-14690, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9.

Description of the vulnerability 

The SSL_set_mode() function of OpenSSL defines the behavior of the library. The SSL_MODE_RELEASE_BUFFERS parameter, added in version 1.0.0, indicates to free the memory as soon as it it not needed anymore. The SSL module of Apache httpd uses it when Apache is configured to save memory.

The do_ssl3_write() function of the ssl/s3_pkt.c file sends SSLv3 packets. After sending data, the memory can be freed if SSL_MODE_RELEASE_BUFFERS is used, so a pointer can be NULL. However, OpenSSL does not check if this pointer is NULL, before using it.

An attacker can therefore dereference a NULL pointer in OpenSSL applications using SSL_MODE_RELEASE_BUFFERS, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat alert impacts software or systems such as ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FreeBSD, ProCurve Switch, HP Switch, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, Solaris, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, stunnel, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this weakness announce is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer weakness bulletin.

Solutions for this threat 

OpenSSL: version 1.0.1h.
The version 1.0.1h is fixed:
  http://www.openssl.org/

OpenSSL: version 1.0.0m.
The version 1.0.0m is fixed:
  http://www.openssl.org/

OpenSSL: patch for SSL_MODE_RELEASE_BUFFERS.
A patch is available in information sources.

OpenBSD: patch for SSL.
A patch is available in information sources.

stunnel: version 5.02.
The version 5.02 is fixed:
  https://www.stunnel.org/downloads.html

AIX: patch for OpenSSL.
A patch is available in information sources.

Aruba: solution for OpenSSL.
The solution is indicated in information sources.

Blue Coat: solution for OpenSSL.
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
The solution is indicated in information sources.
Vulnerable products are listed in the information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u9

EMC: solution for OpenSSL.
The solution is indicated in information sources.

F5 BIG-IP: fixed versions for SSL_MODE_RELEASE_BUFFERS.
Fixed versions are indicated in information sources.

Fedora: new mingw-openssl packages.
New packages are available:
  Fedora 20: mingw-openssl 1.0.1j-1.fc20
  Fedora 21: mingw-openssl 1.0.1j-1.fc21

Fedora: new openssl packages.
New packages are available:
  Fedora 19: openssl 1.0.1e-38.fc19
  Fedora 20: openssl 1.0.1e-38.fc20

FreeBSD: patch for OpenSSL.
A patch is available:
  http://security.FreeBSD.org/patches/SA-14:10/openssl.patch

HP: solution for OpenSSL.
The solution is indicated in information sources.

Juniper: solution for OpenSSL.
The solution is indicated in information sources.

Mandriva BS2: new openssl packages.
New packages are available:
  Mandriva BS2: openssl 1.0.1m-1.mbs2

Mandriva BS: new openssl packages.
New packages are available:
  Mandriva BS1: openssl 1.0.0k-1.3.mbs1

McAfee Web Gateway: patch for OpenSSL.
A patch is available in information sources.

NetBSD: patch for OpenSSL.
A patch is available in information sources.

openSUSE: new openssl packages.
New packages are available:
  openSUSE 13.1: libopenssl 1.0.1g-11.44.1
  openSUSE 12.3: libopenssl 1.0.1g-1.56.1

Polycom Converged Management Application: version 5.2.6.
The version 5.2.6 is fixed.

Polycom HDX: version 3.1.5.
The version 3.1.5 is fixed.

Polycom RMX 1800/Collaboration Server: version 8.4.1.
The version 8.4.1 is fixed.

Polycom Video Border Proxy: version 11.2.18.
The version 11.2.18 is fixed.

Red Hat Storage Server 2.1: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-16.el6_5.14

RHEL 6.5: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-16.el6_5.14

RHEL 7.0: new openssl packages.
New packages are available:
  RHEL 7: openssl 1.0.1e-34.el7_0.3

Siemens: solution for OpenSSL.
The solution is indicated in information sources.

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8za-i486-1_slack13.0
  Slackware 13.1: openssl 0.9.8za-i486-1_slack13.1
  Slackware 13.37: openssl 0.9.8za-i486-1_slack13.37
  Slackware 14.0: openssl 1.0.1h-i486-1_slack14.0
  Slackware 14.1: openssl 1.0.1h-i486-1_slack14.1

Solaris: version 11.1.20.5.0.
The version 11.1.20.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1683966.1

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.1
  Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.3
  Ubuntu 12.10: libssl1.0.0 1.0.1c-3ubuntu2.8
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.13

VMware: solution for OpenSSL.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.