Discover Government News

Arch Linux Security Advisory ASA-201512-2
========================================
Severity: High
Date    : 2015-12-05
CVE-ID  : CVE-2015-3193 CVE-2015-3194 CVE-2015-3195 CVE-2015-3196
CVE-2015-1794
Package : openssl lib32-openssl
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The packages openssl and lib32-openssl before version 1.0.2.e-1 are
vulnerable to multiple issues including memory leaks, denial of service, double
free. If you use DHE there is a possibility that organizations with enough
system resources can guess your private key.


Resolution
=========
Upgrade to 1.0.2.e-1.

# pacman -Syu "openssl>=1.0.2.e-1"

If you use lib32-openssl it is strongly recommended to upgrade this
package as well.

# pacman -Syu "lib32-openssl>=1.0.2.e-1"

The problems have been fixed upstream in version 1.0.2.e.


Workaround
=========
None.


Description
==========
- CVE-2015-3193 (insecure private key in connection with DHE)

There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA
and DSA as a result of this defect would be very difficult to perform and are
not believed likely. Attacks against DH are considered just feasible
(although very difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur
by default in OpenSSL DHE based SSL/TLS ciphersuites.[1]

- CVE-2015-3194 (denial of service)

The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS algorithm and
absent mask generation function parameter. Since these routines are used to
verify certificate signature algorithms this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any application
which performs certificate verification is vulnerable including OpenSSL
clients and servers which enable client authentication.[2]

- CVE-2015-3195 (memory leaks)

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will
leak memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is
affected. SSL/TLS is not affected.[3]

- CVE-2015-3196 (double free)

If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.[4]

- CVE-2015-1794 (denial of service)

If a client receives a ServerKeyExchange for an anonymous DH ciphersuite
with the value of p set to 0 then a seg fault can occur leading to a possible
denial of service attack.[5]

Impact
=====
A remote attacker is possible to guess the private key (only when DHE is
used) with enough resources (e.g NSA/GHCQ), crash openssl (denial of service)
and make use of memory leaks.[6]

References
=========
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3193
[2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3194
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3195
[4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3196
[5] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1794
[6] https://www.openssl.org/news/secadv/20151203.txt

ArchLinux: 201512-2: openssl lib32-openssl: multiple issues

December 5, 2015

Summary

- CVE-2015-3193 (insecure private key in connection with DHE) There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites.[1]
- CVE-2015-3194 (denial of service)
The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.[2]
- CVE-2015-3195 (memory leaks)
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected.[3]
- CVE-2015-3196 (double free)
If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data.[4]
- CVE-2015-1794 (denial of service)
If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0 then a seg fault can occur leading to a possible denial of service attack.[5]

Resolution

Upgrade to 1.0.2.e-1. # pacman -Syu "openssl>=1.0.2.e-1"
If you use lib32-openssl it is strongly recommended to upgrade this package as well.
# pacman -Syu "lib32-openssl>=1.0.2.e-1"
The problems have been fixed upstream in version 1.0.2.e.

References

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3193 [2] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3194 [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3195 [4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3196 [5] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1794 [6] https://www.openssl.org/news/secadv/20151203.txt

Severity
CVE-2015-1794
Package : openssl lib32-openssl
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News