OpenSSL Security Vulnerabilities Roundup
OpenSSL Security Advisory issued on 30 July 2002 that points to several security issues within OpenSSL. There are four remotely exploitable buffer overflows in OpenSSL. There are also encoding problems in the ASN.1 library used by OpenSSL. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create denial of service.
Advisory #1 consist of the following vulnerabilities:
1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis ) who have also demonstrated that the vulerability is exploitable. Exploit code is not available at this time.
2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.
3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled.
4. Various buffers for ASCII representations of integers were too small on 64 bit platforms.
Advisory #2 says that the ASN1 parser can be confused by supplying it with certain invalid encodings.
Both advisories can be found in the mentioned OpenSSL Security Advisory available over here:
CERT Advisory CA-2002-23 – Multiple Vulnerabilities In OpenSSL
Systems Affected:
* OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2
* OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled
* SSLeay library
Vendor security advisories:
Red Hat Security Advisory – Updated openssl packages fix remote vulnerabilities
EnGarde Secure Linux Advisory – Several vulnerabilities in the openssl library
Debian Security Advisory – Multiple OpenSSL problems
SuSE Security Announcement – openssl
Mandrake Linux Security Advisory – openssl
Solutions:
OpenSSL 0.9.6e is now available, including important bugfixes
http://www.openssl.org/source/
2232012 Jul 30 13:16:45 2002 openssl-engine-0.9.6e.tar.gz [LATEST]
2158566 Jul 30 13:07:56 2002 openssl-0.9.6e.tar.gz [LATEST
Combined patches for OpenSSL 0.9.6d:
Combined patches for OpenSSL 0.9.7 beta 2: