Bug 1087195 (CVE-2010-5298)

Summary: CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, acathrow, aneelica, anil.saldhana, bazulay, carnil, cdewolf, cfergeau, cpelland, darran.lofthouse, dblechte, dgregor, dsirrine, erik-fedora, fnasser, gklein, huwang, idith, iheim, jawilson, jboggs, jclere, jdoyle, jgreguske, jkurik, jrusnack, ktietz, lfarkas, lgao, myarboro, nlevinki, pgier, pmatouse, pslavice, redhat-bugzilla, rfortier, rhs-bugs, rh-spice-bugs, rjones, rsvoboda, ssaha, tmraz, vbellur, vtunka, weli, yeylon
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1h, openssl 1.0.0m Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-11 05:19:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1096233, 1096234, 1103604, 1103605, 1103632, 1103633, 1103741, 1104349, 1104350, 1127889    
Bug Blocks: 1087207, 1103601    

Description Huzaifa S. Sidhpurwala 2014-04-14 06:21:04 UTC
The following security advisory was reported by OpenBSD:

OpenBSD 5.4 errata 8, Apr 12, 2014:  A use-after-free race condition in OpenSSL's read buffer may permit an attacker to inject data from one connection into another.

Reference:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse

Comment 1 Huzaifa S. Sidhpurwala 2014-04-14 06:48:51 UTC
Analysis:

openssl does its own memory management and maintains a LIFO freelist of buffers available.

In ssl3_read_bytes(), it released buffer even if there is some data available inside it.

Later in s3_pkt.c:1058, ssl3_release_read_buffer() is called to allocate another buffer. In a single threaded application the same buffer would be allocated and openssl continues to read valid data from it.

However in a multi-thread context or when openssl is compiled with OPENSSL_NO_BUF_FREELISTS which makes it uses system memory management, when a buffer is re-malloced, the old data is gone, at this point openssl bails out and TLS session is broken.

I don't think this is exploitable. Could be exploitable only if the re-malloced buffer is not initialized and sent out on the wire, but I don't see that happening anywhere.

Comment 2 Tomas Mraz 2014-04-14 08:55:10 UTC
I don't think this is exploitable. The concurrent thread (if using the data properly) would not reuse the buffer contents and will overwrite it with its own ciphertext data. This will cause parsing error in the original thread when it will try to read the data later.

Comment 3 Tomas Hoger 2014-04-14 20:46:14 UTC
CVE-2010-5298 was assigned to this issue.

Comment 7 Tomas Hoger 2014-05-09 13:24:21 UTC
The support for freelist was introduced as part of the "Memory saving patch" added in OpenSSL version 1.0.0:

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8671b89

Therefore, this issue does not affect openssl packages in Red Hat Enterprise Linux 5 or earlier, that are based on upstream version 0.9.8 and earlier and does not contain affected code.

This problem can only occur when application enables SSL_MODE_RELEASE_BUFFERS mode, which is not the default.  As noted in bug 1093837 comment 1, few applications shipped as part of Red Hat Enterprise Linux 6 do so.  Additionally, single-threaded applications using this mode are usually not affected either.

The buffer re-used is read buffer where packet data is stored.  If the TLS/SSL connection is already established and encrypted data is expected, encrypted data from different concurrent TLS/SSL would not decrypt successfully.  Data re-use during handshake may proceed further, but TLS/SSL already contains mechanisms to prevent handshake from completing if any data is injected.

There currently does not seem to be any reports to indicate conditions under which this can have worse impact than aborted connection.

Comment 8 Tomas Hoger 2014-05-09 13:49:26 UTC
Statement:

This issue did not affect the openssl packages shipped with Red Hat Enterprise Linux 5.

Comment 9 Tomas Hoger 2014-05-09 13:53:28 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096233]

Comment 10 Tomas Hoger 2014-05-09 13:53:38 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096234]

Comment 15 Tomas Hoger 2014-06-05 11:44:15 UTC
Fixed upstream in OpenSSL 1.0.1h and 1.0.0m.

External References:

https://www.openssl.org/news/secadv_20140605.txt

Comment 16 errata-xmlrpc 2014-06-05 11:53:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html

Comment 17 errata-xmlrpc 2014-06-05 12:15:47 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html

Comment 18 Fedora Update System 2014-06-05 21:53:39 UTC
openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2014-06-05 21:54:34 UTC
openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 errata-xmlrpc 2014-06-10 12:25:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html