Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2010-012: OpenSSL TLS extension parsing race condition



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                 NetBSD Security Advisory 2010-012
                 =================================

Topic:          OpenSSL TLS extension parsing race condition.


Version:        NetBSD-current:         source prior to November 18, 2010
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 5.1:             affected
                NetBSD 4.0.*:           not affected
                NetBSD 4.0:             not affected
                pkgsrc:                 openssl package prior to 0.9.8p

Severity:       Denial of Service and potential arbitrary code execution

Fixed:          NetBSD-current:         November 17, 2010
                NetBSD-5-0 branch:      November 19, 2010
                NetBSD-5-1 branch:      November 19, 2010
                NetBSD-5 branch:        November 19, 2010
                pkgsrc 2010Q3:          openssl-0.9.8p corrects this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A flaw has been found in the OpenSSL TLS server extension code parsing which
on affected servers can be exploited in a buffer overrun attack.
This flaw impacts neither the Apache HTTP server nor any daemon as shipped
with NetBSD.

This vulnerability has been assigned CVE-2010-3864.


Technical Details
=================

Multiple race conditions in ssl/t1_lib.c in OpenSSL, when multi-threading
and internal caching are enabled on a TLS server, might allow remote
attackers to execute arbitrary code via client data that triggers a
heap-based buffer overflow, related to (1) the TLS server name extension
and (2) elliptic curve cryptography. A binary that does not link both
against libssl and a threading library like eg libpthread is unlikely
to be affected.
See http://www.openssl.org/news/secadv_20101116.txt for the vulnerability
announcement from OpenSSL.


Solutions and Workarounds
=========================

- - Patch, recompile, and reinstall libssl.

  CVS branch    file                                                    revision
  ------------- ----------------                                        --------
  HEAD          src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c       1.2

  CVS branch    file                                            revision
  ------------- ----------------                                --------
  netbsd-5-1    src/crypto/dist/openssl/ssl/t1_lib.c            1.2.12.1

  netbsd-5-0    src/crypto/dist/openssl/ssl/t1_lib.c            1.2.8.1

  netbsd-5      src/crypto/dist/openssl/ssl/t1_lib.c            1.2.4.1


The following instructions briefly summarize how to update and
recompile libssl. In these instructions, replace:

  BRANCH   with the appropriate CVS branch (from the above table)
  FILES    with the file names for that branch (from the above table)

To update from CVS, re-build, and re-install libc and sftp:

* NetBSD-current:

        # cd src
        # cvs update -d -P -A crypto/external/bsd/openssl/dist/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../../crypto/external/bsd/openssl/lib/libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

* NetBSD 5.*:

        # cd src
        # cvs update -d -P -r BRANCH crypto/dist/openssl/ssl
        # cd lib/libcrypt
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libcrypto
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install
        # cd ../libssl
        # make USETOOLS=no cleandir dependall
        # make USETOOLS=no install

For more information on building (oriented towards rebuilding the
entire system, however) see:

   http://www.netbsd.org/guide/en/chap-build.html


Thanks To
=========

Thanks to Rob Hulswit for discovering the problem and Dr Stephen Henson
for providing the fix.


Revision History
================

        2010-11-29      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-012.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2010, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2010-012.txt,v 1.1 2010/11/28 14:23:19 tonnerre Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)

iQIcBAEBAgAGBQJM8mX5AAoJEAZJc6xMSnBu1ZQQAI8P8gztP5S0nct//GzE8YTE
mwFB0kGqq7rIgv9iChIy6oqtziu2FG8NwYIOiQl0RkAIY3gM8aB+wpgAhgqdzzx+
8oQ8DPqQn+tbJl64oPAMQ1Ce0tvnuOtmcKBb61ggjI8jfA5wzL5WY+hl+jVJiQ4H
8SqrrkcNbq2IDFJNFzgteq8UmMb610wiFdZqp7HSfEER36da/lXD8Y+nueoW68Ck
NDAe8RxNqiglv71eMZ/7C+ZcZFSm/jooCC6GUK2ll10qx8uAVtiXxhaaT6//1JZX
JU4dHLoETi+SRMkUqaxb4E63DsBTHnwMhD44tpDswnKsNyPv+NwefIDJbYzPTQFg
CThH31PP/0DT1BbnmSao5+ghish9f4Rvk8uHt92JTlMLRWVjo9ApZnB6lxez/WK1
JIohxWytnKLtdvBh9iWT2cVAAQIbPSWrlQV9vpk7thEtZ6GVkc8h6WkwjhW3vEyS
R3mn9BUak3EjiFWLwNuQWEY+ID4dtNJvEwv7S0wIUxz8wB9M0RvxXEhYH5M3vRUv
ieL399QknRh3lkuu53MULj8SL24upjiLAV8pbdT9W4zX6Ci3bKLjc03stJt6x4IA
02jCmdAv5OniDLggF8FTuKLIEqZu+TkmVkOfzGglTFzHHCd+UIgzy1okvJrxN1wr
zV7L32PZRfpiwu9rngFS
=aB+B
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index