The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of OpenSSL: use after free via NewSessionTicket

Synthesis of the vulnerability

An attacker, who own a malicious TLS server, can send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Severity of this computer vulnerability: 2/4.
Creation date: 04/06/2015.
Références of this announce: 1961569, 1964113, 1970103, 2003480, 2003620, 2003673, 9010038, 9010039, bulletinjul2015, c04760669, c05184351, c05353965, CERTFR-2015-AVI-431, CERTFR-2016-AVI-128, CERTFR-2016-AVI-303, cisco-sa-20150612-openssl, cpuapr2017, cpuoct2016, cpuoct2017, CTX216642, CVE-2015-1791, DSA-3287-1, FEDORA-2015-10047, FEDORA-2015-10108, FreeBSD-SA-15:10.openssl, HPSBGN03678, HPSBHF03613, HPSBUX03388, JSA10694, JSA10733, NetBSD-SA2015-008, NTAP-20150616-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2016:0640-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1115-01, SA40002, SA98, SB10122, SOL16914, SSA:2015-162-01, SSRT102180, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1182-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, TSB16728, USN-2639-1, VIGILANCE-VUL-17062.

Description of the vulnerability

The TLS protocol uses the NewSessionTicket message to obtain a new session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c file implements NewSessionTicket in an OpenSSL client. However, if the client is multi-threaded, this function frees a memory area before reusing it.

An attacker, who own a malicious TLS server, can therefore send the NewSessionTicket message, to force the usage of a freed memory area in a client linked to OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability announce impacts software or systems such as ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Unity Cisco, Cisco WSA, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Operations, HP Switch, HP-UX, AIX, IRAD, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Pulse, Juniper Network Connect, Juniper SBR, McAfee Email and Web Security, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP 7-Mode, Snap Creator Framework, SnapManager, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Palo Alto Firewall PA***, PAN-OS, pfSense, Pulse Connect Secure, Puppet, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Ubuntu, WinSCP.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this threat alert.

Solutions for this threat

OpenSSL: version 1.0.2b.
The version 1.0.2b is fixed:
  https://www.openssl.org/source/

OpenSSL: version 1.0.1n.
The version 1.0.1n is fixed:
  https://www.openssl.org/source/

OpenSSL: version 1.0.0s.
The version 1.0.0s is fixed:
  https://www.openssl.org/source/

OpenSSL: version 0.9.8zg.
The version 0.9.8zg is fixed:
  https://www.openssl.org/source/

OpenSSL: patch for NewSessionTicket.
A patch is available in information sources.

AIX: patch for OpenSSL (15/07/2015).
A patch is available:
  ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix14.tar

Blue Coat: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Cisco: solution for OpenSSL.
Solutions for some product are available in information sources.

Citrix NetScaler: fixed versions for LOM Firmware.
Fixed versions are indicated in information sources.

Citrix NetScaler Platform IPMI LOM: solution.
The solution is indicated in information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u17
  Debian 8: openssl 1.0.1k-3+deb8u1

F5 BIG-IP: fixed versions for NewSessionTicket.
Fixed versions are indicated in information sources.

Fedora: new openssl packages (22/06/2015).
New packages are available:
  Fedora 22: openssl 1.0.1k-10.fc22
  Fedora 21: openssl 1.0.1k-10.fc21

FileZilla Server: version 0.9.53.
The version 0.9.53 is fixed:
  https://filezilla-project.org/download.php?type=server

Fortinet: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

FreeBSD: patch for openssl.
A patch is available:
  FreeBSD 10.1: https://security.FreeBSD.org/patches/SA-15:10/openssl-10.1.patch
  FreeBSD 9.3, 8.4: https://security.FreeBSD.org/patches/SA-15:10/openssl-8.4.patch

HPE Switch Comware: patch for OpenSSL.
A patch is indicated in information sources for numerous products of the families Comware 5 and Comware 7.

HP Operations: patch for OpenSSL.
A patch is indicated in information sources. The announce provides one link for each platform.

HP-UX: fixed versions for OpenSSL.
Fixed versions are indicated in information sources:
  OpenSSL_A.01.00.01p
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

IBM Rational Application Developer: solution for OpenSSL.
The solution is indicated in information sources.

IBM Spectrum Protect: versions 7.1.6.5 and 8.1.0.2.
Versions 7.1.6.5 and 8.1.0.2 are fixed:
  Version 7.1.6.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24042496
  Version 8.1.0.2: http://www.ibm.com/support/docview.wss?uid=swg24043351

IBM Tivoli Workload Scheduler: patch for OpenSSL.
A patch is indicated in information sources.

IBM WebSphere MQ: version 8.0.0.4.
The version 8.0.0.4 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg21969244
  http://www-01.ibm.com/support/docview.wss?uid=swg24037500

Juniper Junos: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Juniper Pulse: solution for OpenSSL.
The solution is indicated in information sources.

McAfee Email and Web Security: version 5.6h1054075.
The version 5.6h1054075 est fixed:
  https://support.mcafee.com/downloads
Workarounds are indicated in the McAfee announce.

McAfee Email Gateway: version 7.6.401.
Version 7.6.401 is fixed:
  https://support.mcafee.com/downloads

McAfee Web Gateway: solution for OpenSSL.
A solution is available from McAfee.

NetApp Data: solution for OpenSSL 06/2015.
A patch is available:
  Data ONTAP Edge: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=923550
  Data ONTAP operating in 7-Mode: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=923548
  Data ONTAP SMI-S Agent: http://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=923545
  Snap Creator Framework: https://mysupport.netapp.com/NOW/download/software/snapcreator_framework/4.3P1/
  SnapManager for SAP win: http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_win/3.4P2/
  SnapManager for SAP unix: http://mysupport.netapp.com/NOW/download/software/snapmanager_sap_unix/3.4P2/

NetBSD: patch for OpenSSL.
A patch is available in information sources.

Node.js: version 0.12.5.
The version 0.12.5 is fixed:
  https://nodejs.org/download/

openSUSE: new libopenssl0_9_8 packages.
New packages are available:
  openSUSE 13.2: libopenssl0_9_8 0.9.8zh-9.3.1
  openSUSE Leap 42.1: libopenssl0_9_8 0.9.8zh-14.1

openSUSE: new openssl packages.
New packages are available:
  openSUSE 13.2: libopenssl1_0_0 1.0.1k-2.24.1
  openSUSE 13.1: libopenssl1_0_0 1.0.1k-11.72.1

Oracle Communications: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2247453.1
  https://support.oracle.com/rs?type=doc&id=2248470.1
  https://support.oracle.com/rs?type=doc&id=2251718.1
  https://support.oracle.com/rs?type=doc&id=2245233.1
  https://support.oracle.com/rs?type=doc&id=2248526.1
  https://support.oracle.com/rs?type=doc&id=2250567.1

Oracle Communications: CPU of October 2016.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2188694.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

PAN-OS: versions 5.0.20, 5.1.13, 6.0.14, 6.1.13, 7.0.9 and 7.1.4.
Versions 5.0.20, 5.1.13, 6.0.14, 6.1.13, 7.0.9 and 7.1.4 are fixed.

pfSense: version 2.2.3.
The version 2.2.3 is fixed:
  https://www.pfsense.org/download/mirror.php?section=updates
  https://www.pfsense.org/download/mirror.php?section=downloads

Puppet Labs Puppet: fixed versions for OpenSSL.
The following versions are fixed:
  Puppet Enterprise 3.8.1
  Puppet Agent 1.1.1

RHEL: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-30.el6_6.11
  RHEL 7: openssl 1.0.1e-42.el7_1.8

ScreenOS: version 6.3.0r22.
The version 6.3.0r22 is fixed:
  https://www.juniper.net/

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zg-*-1_slack13.0
  Slackware 13.1: openssl 0.9.8zg-*-1_slack13.1
  Slackware 13.37: openssl 0.9.8zg-*-1_slack13.37
  Slackware 14.0: openssl 1.0.1n-*-1_slack14.0
  Slackware 14.1: openssl 1.0.1n-*-1_slack14.1

Solaris: patch for Third Party (07/2015).
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11: new OpenSSL 0.9.8 packages.
New packages are available:
  SUSE LE 11: openssl 0.9.8j-0.72.1

SUSE LE 12: new openssl packages.
New packages are available:
  SUSE LE 12: libopenssl1_0_0 1.0.1i-25.1, libopenssl0_9_8 0.9.8j-78.1

SUSE LE Security Module 11: new OpenSSL 1.0 packages.
New packages are available:
  - SUSE LE 11: openssl1 1.0.1g-0.30.1

Synology DS214, RS214: version 5.2-5592.
The version 5.2-5592 is fixed.

Ubuntu: new openssl packages.
New packages are available:
  Ubuntu 15.04: libssl1.0.0 1.0.1f-1ubuntu11.4
  Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.8
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.15
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.31

WinSCP: version 5.7.4.
The version 5.7.4 is fixed:
  http://winscp.net/eng/download.php
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability database. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.