Bug 911399 (CVE-2014-3569)

Summary: VUL-0: CVE-2014-3569: openssl: remote denial of service when built with no-ssl3
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Vítězslav Čížek <vcizek>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2014-12-30 20:19:15 UTC 
via nvd

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.


https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6ce9687b5aba5391fc0de50e18779eb676d0e04d

http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3569.html

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b82924741b4bd590da890619be671f4635e46c2b

https://security-tracker.debian.org/tracker/CVE-2014-3569

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=392fa7a952e97d82eac6958c81ed1e256e6b8ca5

http://rt.openssl.org/Ticket/Display.html?id=3571&user=guest&pass=guest
Comment 1 Marcus Meissner 2014-12-30 20:23:16 UTC 
we still built with ssl3 even in factory.

-> not affected by this problem.
Comment 2 Marcus Meissner 2014-12-30 20:24:21 UTC 
CVE-2014-3569,20141230,NOTE:We so far are building openssl with ssl3 enabled, so this problem does not affect our packages.
Comment 3 Marcus Meissner 2015-01-08 16:09:38 UTC 
openssl.org/news/secadv_20150108.txt 


no-ssl3 configuration sets method to NULL (CVE-2014-3569)
=========================================================

Severity: Low

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
Comment 4 Bernhard Wiedemann 2015-01-09 12:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (911399) was mentioned in
https://build.opensuse.org/request/show/280570 Factory / openssl
Comment 5 Swamp Workflow Management 2015-01-23 19:05:21 UTC 
openSUSE-SU-2015:0130-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 911399,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.16.2
openSUSE 13.1 (src):    openssl-1.0.1k-11.64.2