The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: data injection via OPENSSL_NO_BUF_FREELIST

Synthesis of the vulnerability 

An attacker can establish a connection with a multi-thread application linked to OpenSSL with OPENSSL_NO_BUF_FREELIST, in order to potentially inject data in the session of another user.
Impacted systems: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, ProCurve Switch, HP Switch, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, Solaris, pfSense, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, stunnel, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity of this alert: 1/4.
Creation date: 14/04/2014.
Revision date: 05/06/2014.
Références of this alert: 2167, aid-06062014, c04347622, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-274, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CTX140876, CVE-2010-5298, DOC-53313, DSA-2908-1, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:09.openssl, HPSBHF03052, JSA10629, MDVSA-2014:090, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0592-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SOL15328, SSA:2014-156-03, SSA-234763, USN-2192-1, VIGILANCE-VUL-14585, VMSA-2014-0006, VMSA-2014-0006.1, VMSA-2014-0006.10, VMSA-2014-0006.11, VMSA-2014-0006.2, VMSA-2014-0006.3, VMSA-2014-0006.4, VMSA-2014-0006.5, VMSA-2014-0006.6, VMSA-2014-0006.7, VMSA-2014-0006.8, VMSA-2014-0006.9.

Description of the vulnerability 

The OpenSSL product uses a proprietary implementation of malloc to manage its memory.

However, when this feature is disabled with OPENSSL_NO_BUF_FREELIST, a memory area is not freed, and the ssl3_setup_read_buffer() function can, in multi-thread mode, reuse data from another SSL session.

An attacker can therefore establish a connection with a multi-threaded application linked to OpenSSL with OPENSSL_NO_BUF_FREELIST, in order to potentially inject data in the session of another user.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security weakness impacts software or systems such as ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco Content SMA, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Management, IronPort Web, Nexus by Cisco, NX-OS, Prime Collaboration Assurance, Prime Collaboration Manager, Prime Infrastructure, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, WebNS, Cisco WSA, Debian, Avamar, EMC CAVA, EMC CEE, EMC CEPA, Celerra FAST, Celerra NS, Celerra NX4, EMC CMDCE, Connectrix Switch, ECC, NetWorker, PowerPath, Unisphere EMC, VNX Operating Environment, VNX Series, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FreeBSD, ProCurve Switch, HP Switch, AIX, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper UAC, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, Solaris, pfSense, Polycom CMA, HDX, RealPresence Collaboration Server, Polycom VBP, RHEL, ACE Agent, ACE Server, RSA Authentication Agent, RSA Authentication Manager, SecurID, ROS, ROX, RuggedSwitch, SIMATIC, Slackware, stunnel, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this threat bulletin is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this threat.

Solutions for this threat 

OpenSSL: version 1.0.1h.
The version 1.0.1h is fixed:
  http://www.openssl.org/

OpenSSL: version 1.0.0m.
The version 1.0.0m is fixed:
  http://www.openssl.org/

OpenSSL: patch for OPENSSL_NO_BUF_FREELIST.
A patch is available in information sources.

pfSense: version 2.1.3.
The version 2.1.3 is fixed:
  https://www.pfsense.org/

stunnel: version 5.02.
The version 5.02 is fixed:
  https://www.stunnel.org/downloads.html

AIX: patch for openssl.
A patch is available in information sources.
  https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
  openssl-1.0.1.503.tar.Z

Aruba: solution for OpenSSL.
The solution is indicated in information sources.

Blue Coat: solution for OpenSSL.
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
The solution is indicated in information sources.
Vulnerable products are listed in the information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u7

EMC: solution for OpenSSL.
The solution is indicated in information sources.

F5 BIG-IP: fixed versions for OPENSSL_NO_BUF_FREELIST.
Fixed versions are indicated in information sources.

Fedora: new mingw-openssl packages.
New packages are available:
  Fedora 20: mingw-openssl 1.0.1j-1.fc20
  Fedora 21: mingw-openssl 1.0.1j-1.fc21

Fedora: new openssl packages.
New packages are available:
  Fedora 19: openssl 1.0.1e-38.fc19
  Fedora 20: openssl 1.0.1e-38.fc20

Fortinet: solution for OpenSSL.
The solution is indicated in information sources.

FreeBSD: patch for OpenSSL.
A patch is available in information sources.

HP: solution for OpenSSL.
The solution is indicated in information sources.

Juniper: solution for OpenSSL.
The solution is indicated in information sources.

Mandriva BS2: new openssl packages.
New packages are available:
  Mandriva BS2: openssl 1.0.1m-1.mbs2

Mandriva BS: new openssl packages.
New packages are available:
  Mandriva BS1: openssl 1.0.0k-1.4.mbs1

McAfee Web Gateway: patch for OpenSSL.
A patch is available in information sources.

NetBSD: patch for OpenSSL.
A patch is available in information sources.

OpenBSD: patch for FREELIST.
A patch is available:
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/015_openssl.patch
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig

openSUSE: new openssl packages.
New packages are available:
  openSUSE 12.3: openssl 1.0.1g-1.52.1
  openSUSE 13.1: openssl 1.0.1g-11.40.1

Polycom Converged Management Application: version 5.2.6.
The version 5.2.6 is fixed.

Polycom HDX: version 3.1.5.
The version 3.1.5 is fixed.

Polycom RMX 1800/Collaboration Server: version 8.4.1.
The version 8.4.1 is fixed.

Polycom Video Border Proxy: version 11.2.18.
The version 11.2.18 is fixed.

Red Hat Storage Server 2.1: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-16.el6_5.14

RHEL 6.5: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-16.el6_5.14

RHEL 7.0: new openssl packages.
New packages are available:
  RHEL 7: openssl 1.0.1e-34.el7_0.3

Siemens: solution for OpenSSL.
The solution is indicated in information sources.

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8za-i486-1_slack13.0
  Slackware 13.1: openssl 0.9.8za-i486-1_slack13.1
  Slackware 13.37: openssl 0.9.8za-i486-1_slack13.37
  Slackware 14.0: openssl 1.0.1h-i486-1_slack14.0
  Slackware 14.1: openssl 1.0.1h-i486-1_slack14.1

Solaris: version 11.1.20.5.0.
The version 11.1.20.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1683966.1

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.1
  Ubuntu 13.10: libssl1.0.0 1.0.1e-3ubuntu1.3
  Ubuntu 12.10: libssl1.0.0 1.0.1c-3ubuntu2.8
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.13

VMware: solution for OpenSSL.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.