Bug 657663 – VUL-0: openssl: Ciphersuite Downgrade Attack, JPAKE validation error

Bug 657663 - VUL-0: openssl: Ciphersuite Downgrade Attack, JPAKE validation error


Summary:	VUL-0: openssl: Ciphersuite Downgrade Attack, JPAKE validation error

Status:	RESOLVED FIXED
Duplicates:	674017 681509 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Guan Jun He
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:11.1:37668 maint:relea...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2010-12-06 09:10 UTC by Thomas Biege
Modified:	2013-03-28 10:18 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
buildlog of standard i586 (1.15 MB, text/plain) 2011-04-11 14:47 UTC, Guan Jun He	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2010-12-06 09:10:20 UTC

Hi.
There is a security bug in package 'openssl'.

This bug is public.

There is no coordinated release date (CRD) set.

More information can be found here:
	http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

CVE number: CVE-2010-4180
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
CVSS v2 Base Score: 4.3 (moderate) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE number: CVE-2010-4252
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4252
CVSS v2 Base Score: 7.5 (important) (AV:N/AC:L/Au:N/C:P/I:P/A:P)


Original posting:



----------  Weitergeleitete Nachricht  ----------

Betreff: OpenSSL security advisory
Datum: Donnerstag 02 Dezember 2010
Von: OpenSSL <openssl@master.openssl.org>
An: openssl-announce@master.openssl.org, openssl-dev@master.openssl.org, 
openssl-users@master.openssl.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenSSL Security Advisory [2 December 2010]

OpenSSL Ciphersuite Downgrade Attack
=====================================

A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections.

The OpenSSL security team would like to thank Martin Rex for reporting this
issue.

This vulnerability is tracked as CVE-2010-4180

OpenSSL JPAKE validation error
===============================

Sebastian Martini found an error in OpenSSL's J-PAKE implementation
which could lead to successful validation by someone with no knowledge
of the shared secret. This error is fixed in 1.0.0c. Details of the
problem can be found here:

http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf

Note that the OpenSSL Team still consider our implementation of J-PAKE
to be experimental and is not compiled by default.

This issue is tracked as CVE-2010-4252 

Who is affected?
=================

All versions of OpenSSL contain the ciphersuite downgrade vulnerability.

Any OpenSSL based SSL/TLS server is vulnerable if it uses
OpenSSL's internal caching mechanisms and the
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag (many applications enable this
by using the SSL_OP_ALL option).

Users of OpenSSL 0.9.8j or later who do not enable weak ciphersuites are
still vulnerable but the bug has no security implications as the attacker can
only change from one strong ciphersuite to another.

All users of OpenSSL's experimental J-PAKE implementation are vulnerable
to the J-PAKE validation error.

Recommendations for users of OpenSSL
=====================================

Users of all OpenSSL 0.9.8 releases including 0.9.8p should update
to the OpenSSL 0.9.8q release which contains a patch to correct this issue.

Alternatively do not set the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
and/or SSL_OP_ALL flags.

Users of OpenSSL 1.0.0 releases should update to the OpenSSL 1.0.0c release
which contains a patch to correct this issue and also contains a corrected
version of the CVE-YYYY-NNN vulnerability fix.

If upgrading is not immediately possible, the relevant source code patch
provided in this advisory should be applied.

Any user of OpenSSL's J-PAKE implementaion (which is not compiled in by 
default) should upgrade to OpenSSL 1.0.0c.

Patch
=====

Index: ssl/s3_clnt.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/s3_clnt.c,v
retrieving revision 1.129.2.16
diff -u -r1.129.2.16 s3_clnt.c
- --- ssl/s3_clnt.c	10 Oct 2010 12:33:10 -0000	1.129.2.16
+++ ssl/s3_clnt.c	24 Nov 2010 14:32:37 -0000
@@ -866,8 +866,11 @@
 		s->session->cipher_id = s->session->cipher->id;
 	if (s->hit && (s->session->cipher_id != c->id))
 		{
+/* Workaround is now obsolete */
+#if 0
 		if (!(s->options &
 			SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
+#endif
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
 			
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
Index: ssl/s3_srvr.c
===================================================================
RCS file: /v/openssl/cvs/openssl/ssl/s3_srvr.c,v
retrieving revision 1.171.2.22
diff -u -r1.171.2.22 s3_srvr.c
- --- ssl/s3_srvr.c	14 Nov 2010 13:50:29 -0000	1.171.2.22
+++ ssl/s3_srvr.c	24 Nov 2010 14:34:28 -0000
@@ -985,6 +985,10 @@
 				break;
 				}
 			}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
 		if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && 
(sk_SSL_CIPHER_num(ciphers) == 1))
 			{
 			/* Special case as client bug workaround: the previously used cipher 
may
@@ -999,6 +1003,7 @@
 				j = 1;
 				}
 			}
+#endif
 		if (j == 0)
 			{
 			/* we need to have the cipher in the cipher



References
===========

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20101202.txt

URL for updated CVS-2010-3864 Security Advisory:
http://www.openssl.org/news/secadv_20101116-2.txt


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBTPfvZ6LSm3vylcdZAQI9Lwf+JT3pzOySPkeMKS+OY19d/teHObhwxeI/
z/gS303F+CUmhQhmi0ueYno6gYfmpzYG/xNA+7dLwVinOjKpwTHNqZVHtLhFgwQm
wZS+vqiPBjzakjTGz0YXrA1uPQG/1ASbVV3C0a9s7nKCsDzYiWJkzFrZiVTzkVat
Y39Z5hTBCwUxssCyJU4VSRGNF4kcHzvbuDeNJDnK0shdz+hgNx2mNb8EFgYDRqbx
ahIMGAKEtpVIn3WgeHL0r6VjG2RFaV1QLPyehAPvU/YjBnbph++PyXqnsTmEbtgn
ma3aqbxbSLI0+WobVXabDlB4PD6H57Uwt2R57vZs2yNCSX8sSkMBqg==
=vUwE
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majordomo@openssl.org

-------------------------------------------------------------

Comment 1 Thomas Biege 2010-12-06 14:48:09 UTC

mass change P5->P3

Comment 2 Guan Jun He 2010-12-07 07:59:52 UTC

for CVE-2010-4180,patch will be submitted soon;
for CVE-2010-4252,I will only upgrade openssl to version 1.0.0c for Base:System.(for the J-PAKE implementaion is not compiled in by 
default).

Comment 3 Ludwig Nussel 2010-12-07 08:12:42 UTC

IMO CVE-2010-4180 isn't that severe, we can include it in any upcoming security update and don't need to fix it immediately.

Comment 4 Guan Jun He 2010-12-07 09:47:35 UTC

(In reply to comment #3)
> IMO CVE-2010-4180 isn't that severe, we can include it in any upcoming security
> update and don't need to fix it immediately.

well,the patch for CVE-2010-4180 has been produced, and has been submitted to sle-11-sp1/sle-11/11.1/11.2/11.3.thanks.

Comment 5 Swamp Workflow Management 2010-12-07 14:27:32 UTC

The SWAMPID for this issue is 37667.
This issue was rated as low.
Please submit fixed packages until 2011-01-04.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 6 Ludwig Nussel 2010-12-07 14:28:13 UTC

ok, thanks. Please don't forget the libopenssl0_9_8 package

Comment 7 Guan Jun He 2010-12-08 06:06:01 UTC

(In reply to comment #6)
> ok, thanks. Please don't forget the libopenssl0_9_8 package

thanks.
Do you mean the libopenssl0_9_8 package co-existing with libopenssl1_0_0?

Comment 8 Ludwig Nussel 2010-12-08 06:56:00 UTC

yes. as long as we have both we also need to apply fixes to both I guess

Comment 9 Guan Jun He 2010-12-09 09:14:37 UTC

patch submitted to 11.3/Base:System for libopenssl0_9_8 package.
For Base:System,package openssl has been upgraded to 1.0.0c.

Comment 10 Ludwig Nussel 2010-12-14 07:29:49 UTC

no submission for sle10. will add to planned updates for sle10

Comment 11 Marcus Meissner 2010-12-14 10:10:08 UTC

perl bin/addnote CVE-2010-4252 "J-PAKE support is experimental and is currently not enabled in any SUSE product. This means we are not affected by this security problem."

Comment 12 Swamp Workflow Management 2011-01-05 13:41:10 UTC

Update released for: libopenssl-devel, libopenssl0_9_8, libopenssl0_9_8-debuginfo, libopenssl1_0_0, libopenssl1_0_0-debuginfo, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
openSUSE 11.2 (debug, i586, x86_64)
openSUSE 11.3 (debug, i586, x86_64)

Comment 13 Marcus Meissner 2011-01-05 13:46:08 UTC

released

Comment 14 Swamp Workflow Management 2011-01-05 16:10:25 UTC

Update released for: libopenssl-devel, libopenssl0_9_8, libopenssl0_9_8-32bit, libopenssl0_9_8-x86, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)

Comment 15 Marcus Meissner 2011-02-23 08:30:20 UTC

we still need to fix the cipher downgrade attack for sle10sp3 and sle9sp4 with their next openssl update round (but not immediately)

Comment 16 Leonardo Chiquitto 2011-02-24 14:50:52 UTC

*** Bug 674017 has been marked as a duplicate of this bug. ***

Comment 17 Guan Jun He 2011-03-03 09:46:34 UTC

when planned update, please info me.thanks.

Comment 18 Leonardo Chiquitto 2011-03-23 21:09:20 UTC

*** Bug 681509 has been marked as a duplicate of this bug. ***

Comment 19 Marcus Meissner 2011-03-27 20:51:38 UTC

given the number of customer queries, we should start an update now.

Guan, can you please submit fixed packages for sles9, sles10 sp3, sles 10 sp4.

Please include the bugfix for bug 659128 too.

Comment 20 Swamp Workflow Management 2011-03-27 20:53:13 UTC

The SWAMPID for this issue is 39705.
This issue was rated as moderate.
Please submit fixed packages until 2011-04-12.
Also create a patchinfo file using this link:
https://swamp.suse.de/webswamp/wf/39705

Comment 21 Guan Jun He 2011-04-04 04:38:36 UTC

(In reply to comment #19)
> given the number of customer queries, we should start an update now.
> 
> Guan, can you please submit fixed packages for sles9, sles10 sp3, sles 10 sp4.
> 
> Please include the bugfix for bug 659128 too.

ok，patch will be submitted soon.

Comment 23 Guan Jun He 2011-04-10 10:07:03 UTC

patch submitted to sle10-sp3/sle9-sp4.

Comment 24 Marcus Meissner 2011-04-11 09:27:30 UTC

sle10-sp4 has seperate sources and also needs the fixes, can you please submit them too?

Comment 25 Guan Jun He 2011-04-11 09:58:04 UTC

(In reply to comment #24)
> sle10-sp4 has seperate sources and also needs the fixes, can you please submit
> them too?

ok, immediately.

Comment 26 Guan Jun He 2011-04-11 11:14:44 UTC

patch submitted to sle10-sp4.

Comment 27 Ludwig Nussel 2011-04-11 12:23:47 UTC

sles9 build failed:
openssl-doc: "/usr/share/doc/packages/openssl-doc/ssl/SSL_CTX_set_options.pod.orig" is not allowed anymore in SuSE Linux.

Comment 28 Guan Jun He 2011-04-11 14:43:44 UTC

(In reply to comment #27)
> sles9 build failed:
> openssl-doc:
> "/usr/share/doc/packages/openssl-doc/ssl/SSL_CTX_set_options.pod.orig" is not
> allowed anymore in SuSE Linux.

I do not know what do you mean, can you explain?
I get the buildlog from osc,and did not get any error message about what you are talking.The buildlog will be attached.

Comment 29 Ludwig Nussel 2011-04-11 14:47:38 UTC

fixed meanwhile

Comment 30 Guan Jun He 2011-04-11 14:47:49 UTC

Created attachment 424240 [details]
buildlog of standard i586

Comment 31 Guan Jun He 2011-04-11 14:50:54 UTC

(In reply to comment #29)
> fixed meanwhile

oh,well, could you tell me what's wrong?thanks.

Comment 32 Ludwig Nussel 2011-04-11 14:53:39 UTC

osci rdiff -c 4 SUSE:SLE-9-SP4:Update:Test/openssl

Comment 33 Guan Jun He 2011-04-11 14:59:03 UTC

(In reply to comment #32)
> osci rdiff -c 4 SUSE:SLE-9-SP4:Update:Test/openssl

got it,it's about the patch format.thanks.

Comment 34 Marcus Meissner 2011-04-11 15:01:20 UTC

this is probably a small behaviour mismatch between Autobuild (used for the patch) and the Internal Buildservice you used for testing.

Comment 35 Marcus Meissner 2011-05-03 13:01:00 UTC

released sles9 and sles 10 sp3, sp4 now. all done

Comment 36 Swamp Workflow Management 2011-05-03 17:43:03 UTC

Update released for: openssl, openssl-32bit, openssl-64bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-devel-64bit, openssl-doc, openssl-x86
Products:
SLE-DEBUGINFO 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)

Comment 37 Swamp Workflow Management 2011-05-03 18:48:34 UTC

Update released for: openssl, openssl-devel, openssl-doc
Products:
Novell-Linux-POS 9 (i386)
Open-Enterprise-Server 9 (i386)
SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)

Comment 38 Swamp Workflow Management 2011-05-03 19:21:01 UTC

Update released for: openssl, openssl-32bit, openssl-64bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-devel-64bit, openssl-doc, openssl-x86
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)