Bug 104893 (CVE-2003-0543, CVE-2003-0544, CVE-2003-0545)
Summary: | CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> |
Component: | vulnerability | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jlieskov, x.cod3r |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-10-02 08:05:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark J. Cox
2003-09-23 11:06:15 UTC
Actually this is embargoed until September 30th not November 4th (my mistake). A better description of the issues: NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. The effects of such an attack vary depending on the application targetted; against Apache the effects are limited, as the attack would only cause child processes to die and be replaced. An attack against other applications that use OpenSSL could result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2003-0543 and CAN-2003-0544 to this issue. [CAN-2003-0543 is the fix that prevents the tag from overflowing an int. CAN-2003-0544 is the fix that decrements the number of characters which can be read when the final long form octet is read. Without this it can read one character past end of buffer whenever the long form is used.] NISCC testing of implementations of the SSL protocol uncovered an additional bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. A remote attacker could trigger this bug by sending a carefully-crafted SSL client certificate to an application. It may be possible for an attacker to exploit this issue to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0545 to this issue. This will be RHSA-2003:293 The errata http://rhn.redhat.com/errata/RHSA-2003-293.html was released shortly after 1200UTC on 30th September. Making this bug public. More details from the CERT VU#935264, OpenSSL "secadv_20030930.txt" upstream advisory (http://www.kb.cert.org/vuls/id/935264, http://www.openssl.org/news/secadv_20030930.txt) advisory for the CAN/CVE-2003-0545 issue: <cite> 1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. </cite> The CAN-2003-0545 (currently known as CVE-2003-0545) issue does NOT affect the versions of the openssl096 package, as shipped with Red Hat Enterprise Linux 2.1, 3, and 4. |