March 26th, 2009

OpenSSL patches three security holes

Posted by Ryan Naraine @ 5:43 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Malware, Open source, Patch Watch, Pen testing

Tags: OpenSSL, Patch Management, OpenSSL Project, Ssl/Tls, Security, Ryan Naraine

The OpenSSL Project has released new versions of its popular implementation of the SSL v2/v3 and TLS protocols to fix three security vulnerabilities.

According to an advisory from the open-source group, the toolkit update fixes three security flaws that carry “moderate severity” ratings.

The raw details:

• ASN1 printing crash: The function ASN1_STRING_print_ex() when used to print a BMPString or UniversalString will crash with an invalid memory access if the encoded length of the string is illegal. (CVE-2009-0590.
  • Any OpenSSL application which prints out the contents of a certificate could be affected by this bug, including SSL servers, clients and S/MIME software.
• Incorrect Error Checking During CMS verification: The function CMS_verify() does not correctly handle an error condition involving malformed signed attributes. This will cause an invalid set of signed attributes to appear valid and content digests will not be checked. (CVE-2009-0591)
  • These malformed attributes cannot be generated without access to he signer’s private key so an attacker cannot forge signatures. A valid signer could however generate an invalid signature which appears valid and later repudiate the signature.
• Invalid ASN1 clearing check: When a malformed ASN1 structure is received its contents are freed up and zeroed and an error condition returned. On a small number of platforms where sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid memory access later resulting in a crash when some invalid structures are read, for example RSA public keys (CVE-2009-0789).
  • Any OpenSSL application which uses the public key of an untrusted certificate could be crashed by a malformed structure. Including SSL servers, clients, CA and S/MIME software.

OpenSSL users should pay serious attention to the following advice from US-CERT:

• Because OpenSSL is widely redistributed, users should check for updates from their operating system vendors and vendors of other products using OpenSSL. Users of OpenSSL from the original source distribution should upgrade to OpenSSL 0.9.8k.