The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: code execution via TLS Extensions

Synthesis of the vulnerability 

An attacker can use a TLS extension, in order to corrupt the memory of multi-threaded applications using OpenSSL and its internal caching feature.
Vulnerable systems: ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, HP Operations, Performance Center, HP-UX, AIX, Tivoli Workload Scheduler, Mandriva Linux, NetBSD, OpenBSD, OpenSolaris, OpenSSL, openSUSE, RHEL, Slackware, StoneGate Firewall, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity of this threat: 3/4.
Creation date: 17/11/2010.
Références of this weakness: 1643316, 649304, BID-44884, c02737002, c03179825, CERTA-2002-AVI-272, CERTA-2010-AVI-555, CERTA-2011-AVI-242, CERTA-2011-AVI-294, CERTA-2012-AVI-056, CVE-2010-3864, DSA-2125-1, FEDORA-2010-17826, FEDORA-2010-17827, FEDORA-2010-17847, FreeBSD-SA-10:10.openssl, HPSBGN02740, HPSBUX02638, MDVSA-2010:238, NetBSD-SA2010-012, openSUSE-SU-2010:0965-1, openSUSE-SU-2010:0965-2, RHSA-2010:0888-01, SA68, SSA:2010-326-01, SSRT100339, SSRT100741, SUSE-SR:2010:022, VIGILANCE-VUL-10130, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability 

Since its version 0.9.8f, OpenSSL supports the TLS SNI (Server Name Indication) extension. It is enabled if OpenSSL is compiled with the "enable-tlsext" option (enabled by default since version 0.9.8k).

The SSL session caching feature saves sessions, to be reused later. An application can enable it with the SSL_CTX_set_session_cache_mode() function. For example, Apache httpd does not enable it.

When a multi-thread application uses OpenSSL, the ssl/t1_lib.c file does not lock the caching of TLS SNI. An attacker can therefore open two simultaneous sessions, so a double caching is tried, which corrupts the memory.

An attacker can therefore use a TLS extension, in order to corrupt the memory of multi-threaded applications using OpenSSL and its internal caching feature.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat announce impacts software or systems such as ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, HP Operations, Performance Center, HP-UX, AIX, Tivoli Workload Scheduler, Mandriva Linux, NetBSD, OpenBSD, OpenSolaris, OpenSSL, openSUSE, RHEL, Slackware, StoneGate Firewall, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this cybersecurity alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security alert.

Solutions for this threat 

OpenSSL: version 1.0.0b.
The version 1.0.0b is corrected:
  http://www.openssl.org/

OpenSSL: version 0.9.8p.
The version 0.9.8p is corrected:
  http://www.openssl.org/

OpenSSL: patch for TLS Extensions.
A patch is available in information sources.

AIX: new OpenSSL version.
The following OpenSSL version is corrected:
  https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
    openssl.0.9.8.1302.tar.Z
    openssl-fips.12.9.8.1302.tar.Z
    openssl.0.9.8.808.tar.Z
Then, OpenSSH also has to be updated:
  http://sourceforge.net/projects/openssh-aix

Blue Coat Reporter: patch for OpenSSL.
A patch is available:
  Reporter 9.3.2.1 :
    https://bto.bluecoat.com/download/product/8793
  Reporter 9.2.5.1 :
    https://bto.bluecoat.com/download/product/4997

Debian: new openssl packages.
New packages are available:
  http://security.debian.org/pool/updates/main/o/openssl/*_0.9.8g-15+lenny9_*.deb

Fedora: new openssl packages.
New packages are available:
  openssl-1.0.0b-1.fc12
  openssl-1.0.0b-1.fc13
  openssl-1.0.0b-1.fc14

FreeBSD: patch for OpenSSL.
A patch is available:
FreeBSD 7.x :
  fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
FreeBSD 8.x :
  fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch

HP Operations, Performance: solution for OpenSSL.
Updates are available:
  http://support.openview.hp.com/selfsolve/patches
  HP Operations Manager : 9.20
  HP Operations Agent : 11.05

HP-UX: OpenSSL version A.00.09.08q.
The following version is corrected:
B.11.11 : OpenSSL_A.00.09.08q.001_HP-UX_B.11.11_32_64.depot
B.11.23 : OpenSSL_A.00.09.08q.002_HP-UX_B.11.23_IA_PA.depot
B.11.31 : OpenSSL_A.00.09.08q.003_HP-UX_B.11.31_IA_PA.depot

IBM Tivoli Workload Scheduler: solution for OpenSSL.
The solution is indicated in information sources.

Mandriva: new openssl packages.
New packages are available:
  Mandriva Linux 2009.0: openssl-0.9.8h-3.8mdv2009.0
  Mandriva Linux 2010.0: openssl-0.9.8k-5.3mdv2010.0
  Mandriva Linux 2010.1: openssl-1.0.0a-1.5mdv2010.1
  Mandriva Enterprise Server 5: openssl-0.9.8h-3.8mdvmes5.1

NetBSD: patch for OpenSSL.
A patch is available in information sources.

NetBSD: version 5.1.2.
The version 5.1.2 is corrected:
  http://www.NetBSD.org/

OpenBSD: patch for OpenSSL.
A patch is available:
  http://ftp.openbsd.org/pub/OpenBSD/patches/4.7/common/008_openssl.patch
  http://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/004_openssl.patch

openSUSE: new openssl packages.
New packages are available:
  openSUSE 11.1 : openssl-0.9.8h-28.18.1
  openSUSE 11.2 : openssl-0.9.8k-3.10.1
  openSUSE 11.3 : openssl-1.0.0-6.3.1

RHEL 6.0: new openssl packages.
New packages are available:
  openssl-1.0.0-4.el6_0.1

Slackware: new openssl packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/openssl-0.9.8p-i486-1_slack11.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/openssl-solibs-0.9.8p-i486-1_slack11.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/openssl-0.9.8p-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/openssl-solibs-0.9.8p-i486-1_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-0.9.8p-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-solibs-0.9.8p-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8p-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8p-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8p-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8p-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8p-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8p-i486-1_slack13.1.txz

Solaris 11 Express: patch for OpenSSL.
A patch is available:
  7000568

StoneGate SSL VPN: version 1.4.5.
The version StoneGate SSL VPN 1.4.5 is corrected:
  https://my.stonesoft.com/support/

SUSE: new packages (30/11/2010).
New packages are available, as indicated in information sources.

VMware: corrected versions.
Following versions are corrected:
VMware vCenter Server 4.1 Update 1 and modules
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
VMware vCenter Server 4.0 Update 3
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://www.vmware.com/support/vsphere4/doc/vsp_vc40_u3_rel_notes.html
ESXi 4.1 Installable Update 1
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html
  http://kb.vmware.com/kb/1027919
ESX 4.1 Update 1
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html
  http://kb.vmware.com/kb/1029353
ESXi 4.0
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-274-20110303-677367/ESXi400-201103001.zip
  http://kb.vmware.com/kb/1032823
ESX 4.0
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-273-20110303-574144/ESX400-201103001.zip
  http://kb.vmware.com/kb/1032822
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability analysis. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.