The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: denial of service via TLS 1.2

Synthesis of the vulnerability 

An attacker can use TLS 1.2 with an application linked to OpenSSL, in order to trigger a denial of service.
Impacted software: Debian, Unisphere EMC, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, OpenSSL, openSUSE, Solaris, pfSense, RHEL, Slackware.
Severity of this computer vulnerability: 2/4.
Creation date: 23/12/2013.
Références of this announce: 3200, BID-64530, CERTA-2014-AVI-003, CERTFR-2014-AVI-091, CERTFR-2014-AVI-286, CVE-2013-6449, DSA-2020-062, DSA-2833-1, FEDORA-2013-23768, FEDORA-2013-23788, FEDORA-2013-23794, FEDORA-2014-1560, FEDORA-2014-1567, FreeBSD-SA-14:03.openssl, openSUSE-SU-2014:0012-1, openSUSE-SU-2014:0015-1, openSUSE-SU-2014:0018-1, openSUSE-SU-2014:0048-1, openSUSE-SU-2014:0049-1, RHSA-2014:0015-01, RHSA-2014:0041-01, SOL15147, SSA:2014-013-02, VIGILANCE-VUL-13978.

Description of the vulnerability 

The OpenSSL library supports versions 1.0 to 1.2 of TLS.

The ssl_get_algorithm2() function of the ssl/s3_lib.c file obtains the version of the current session. However, this function uses a structure which is not always up to date. An internal error thus occurs.

An attacker can therefore use TLS 1.2 with an application linked to OpenSSL, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security threat impacts software or systems such as Debian, Unisphere EMC, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, OpenSSL, openSUSE, Solaris, pfSense, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat 

OpenSSL: version 1.0.1f.
The version 1.0.1f is fixed:
  http://www.openssl.org/source/

OpenSSL: patch for TLS 1.2.
A patch is available in information sources.

Copssh: version 4.7.1.
The version 4.7.1 is fixed:
  http://www.itefix.no/

pfSense: version 2.1.1.
The version 2.1.1 is fixed:
  http://www.pfsense.org/

AIX: fixed versions for OpenSSL and OpenSSH.
The following versions are fixed:
  OpenSSL 1.0.1.501
  OpenSSH 6.0.0.6103

Debian: new openssl packages.
New packages are available:
  openssl 1.0.1e-2+deb7u1

Dell EMC Unisphere for PowerMax: solution.
The solution is indicated in information sources.

F5 BIG-IP: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Fedora: new mingw-openssl packages.
New packages are available:
  mingw-openssl-1.0.1e-5.fc19
  mingw-openssl-1.0.1e-5.fc20

Fedora: new openssl packages.
New packages are available:
  openssl-1.0.1e-36.fc18
  openssl-1.0.1e-36.fc19
  openssl-1.0.1e-36.fc20

FreeBSD: patch for openssl.
A patch is available:
  http://security.FreeBSD.org/patches/SA-14:03/openssl.patch

openSUSE: new openssl packages.
New packages are available:
  openSUSE 11.4 : openssl-1.0.0l-18.49.1
  openSUSE 12.2 : openssl-1.0.1e-2.20.1
  openSUSE 12.3 : openssl-1.0.1e-1.21.1
  openSUSE 13.1 : openssl-1.0.1e-11.9.1

RHEL 6.5: new openssl packages.
New packages are available:
  openssl-1.0.1e-16.el6_5.4

RHEV Hypervisor: new rhev-hypervisor6 packages.
New packages are available:
  rhev-hypervisor6-6.5-20140112.0.el6ev

Slackware: new openssl packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1f-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1f-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1f-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1f-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1f-i486-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1f-i486-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1f-x86_64-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1f-x86_64-1_slack14.1.txz

Solaris 11.2: patch for OpenSSL.
A patch is available:
  https://updates.oracle.com/download/19298012.html

Solaris: version 11.1.20.5.0.
The version 11.1.20.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1683966.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities announces. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.