The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of OpenSSL: use after free via PSK Identify Hint

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via PSK Identify Hint of an OpenSSL multi-threaded client, in order to trigger a denial of service, and possibly to run code.
Severity of this alert: 2/4.
Creation date: 03/12/2015.
Références of this alert: 1972951, 1976113, 1976148, 1981612, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2016, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3196, DSA-3413-1, FEDORA-2015-d87d60b9a9, FreeBSD-SA-15:26.openssl, HPESBHF03709, JSA10759, NTAP-20151207-0001, openSUSE-SU-2015:2288-1, openSUSE-SU-2015:2289-1, RHSA-2015:2617-01, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, USN-2830-1, VIGILANCE-VUL-18437.

Description of the vulnerability

The OpenSSL library can be used by a multi-threaded client.

However, in this case, the SSL_CTX structure does not contain an updated PSK Identify Hint. OpenSSL can thus free twice the same memory area.

An attacker can therefore force the usage of a freed memory area via PSK Identify Hint of an OpenSSL multi-threaded client, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, HP Switch, AIX, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, IVE OS, Juniper J-Series, Junos OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper SBR, McAfee Email Gateway, Data ONTAP 7-Mode, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Solaris, pfSense, Pulse Connect Secure, MAG Series by Pulse Secure, Pulse Secure SBR, Puppet, RHEL, Slackware, Synology DS***, Synology RS***, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat

OpenSSL: version 1.0.2d.
The version 1.0.2d is fixed:
  https://www.openssl.org/source/openssl-1.0.2d.tar.gz

OpenSSL: version 1.0.1p.
The version 1.0.1p is fixed:
  https://www.openssl.org/source/openssl-1.0.1p.tar.gz

OpenSSL: version 1.0.0t.
The version 1.0.0t is fixed:
  http://openssl.org/source/

AIX: patch for OpenSSL.
A patch is indicated in information sources.

Brocade: solution for Multiple Vulnerabilities.
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
The solution is indicated in information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u18
  Debian 8: openssl 1.0.1k-3+deb8u2

F5 BIG-IP: solution for OpenSSL.
The solution is indicated in information sources.

Fedora 22: new openssl packages.
New packages are available:
  Fedora 22: openssl 1.0.1k-13.fc22

Fortinet: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

FreeBSD: patch for OpenSSL.
A patch is available:
  https://security.FreeBSD.org/patches/SA-15:26/openssl-9.3.patch
  https://security.FreeBSD.org/patches/SA-15:26/openssl-10.1.patch
  https://security.FreeBSD.org/patches/SA-15:26/openssl-10.2.patch

HPE Comware Switch: solution for OpenSSL.
The solution is indicated in information sources.

IBM Rational Application Developer: patch for OpenSSL.
A patch is indicated in information sources.

IBM Security QRadar SIEM: patch for OpenSSL.
A patch is available:
  IBM QRadar/QRM/QVM/QRIF 7.2.6 Patch 2: http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.6-QRADAR-QRSIEM-20160121152811&includeRequisites=0&includeSupersedes=0&downloadMethod=http&source=fc
  IBM QRadar 7.1 MR2 Patch 12 Interim Fix 1: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=Linux&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1104447INT&includeRequisites=0&includeSupersedes=0&downloadMethod=http&source=fc

IBM Spectrum Protect: versions 7.1.6.5 and 8.1.0.2.
Versions 7.1.6.5 and 8.1.0.2 are fixed:
  Version 7.1.6.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24042496
  Version 8.1.0.2: http://www.ibm.com/support/docview.wss?uid=swg24043351

IBM Tivoli Workload Scheduler: patch for OpenSSL.
A patch is indicated in information sources.

Juniper: solution for OpenSSL.
The solution is indicated in information sources.

McAfee Email Gateway: version 7.6.404-3328.101.
The version 7.6.404-3328.101 is fixed:
  https://kc.mcafee.com/corporate/index?page=content&id=KB56057

NetApp Data ONTAP: patch for OpenSSL 12/2015.
A patch is available:
  Data ONTAP SMI-S Agent: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=971461

openSUSE: new openssl packages.
New packages are available:
  openSUSE 13.1: openssl 1.0.1k-11.75.1
  openSUSE 13.2: openssl 1.0.1k-2.27.1
  openSUSE Leap 42.1: openssl 1.0.1i-9.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

pfSense: version 2.2.6.
The version 2.2.6 is fixed:
  https://pfsense.org/download/

Pulse Secure: solution for OpenSSL.
The solution is indicated in information sources.

Puppet Agent: version 1.3.4.
The version 1.3.4 is fixed:
  https://puppetlabs.com/

RHEL: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-42.el6_7.1
  RHEL 7: openssl 1.0.1e-51.el7_2.1

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zh-*-1_slack13.0
  Slackware 13.1: openssl 0.9.8zh-*-1_slack13.1
  Slackware 13.37: openssl 0.9.8zh-*-1_slack13.37
  Slackware 14.0: openssl 1.0.1q-*-1_slack14.0
  Slackware 14.1: openssl 1.0.1q-*-1_slack14.1

Solaris: patch for Third Party (01/2016).
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Synology DS, RS: version 5.2-5644 Update 3.
The version 5.2-5644 Update 3 is fixed:
  https://www.synology.com

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 15.10: libssl1.0.0 1.0.2d-0ubuntu1.2
  Ubuntu 15.04: libssl1.0.0 1.0.1f-1ubuntu11.5
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.16
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.32
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides networks vulnerabilities analysis. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.