Bug 1331402 (CVE-2016-2108)

Summary: CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anemec, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, daga, dahjelle.redhat.com, dandread, darran.lofthouse, devin, dknox, dosoudil, enagai, erik-fedora, fnasser, freiheit, gzaronik, hkario, huwang, jaeshin, jason.greene, jawilson, jclere, jdoyle, ktietz, lgao, marcandre.lureau, mbabacek, mdshaikh, mparkin, mturk, myarboro, pdwyer, pgier, psakar, pslavice, redhat-bugzilla, rex.na, rjones, rnetuka, rsvoboda, ryan.parman, sander, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JBCS-82
Whiteboard:
Fixed In Version: openssl 1.0.1o, openssl 1.0.2c Doc Type: Bug Fix
Doc Text:
A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-22 12:28:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1331569, 1331570, 1331865, 1331866, 1332398, 1332399, 1332588, 1332589, 1332590, 1332591, 1335811, 1337157, 1337158, 1366994    
Bug Blocks: 1330106, 1395463    
Attachments:
Description Flags
OpenSSL upstream fix for the second issue none

Description Tomas Hoger 2016-04-28 13:14:05 UTC 
Quoting form the draft of OpenSSL upstream advisory:

Memory corruption in the ASN.1 encoder (CVE-2016-2108)
======================================================

Severity: High

This issue affected versions of OpenSSL prior to April 2015. The bug
causing the vulnerability was fixed on April 18th 2015, and released
as part of the June 11th 2015 security releases. The security impact
of the bug was not known at the time.

In previous versions of OpenSSL, ASN.1 encoding the value zero
represented as a negative integer can cause a buffer underflow
with an out-of-bounds write in i2c_ASN1_INTEGER. The ASN.1 parser does
not normally create "negative zeroes" when parsing ASN.1 input, and
therefore, an attacker cannot trigger this bug.

However, a second, independent bug revealed that the ASN.1 parser
(specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag
as a negative zero value. Large universal tags are not present in any
common ASN.1 structures (such as X509) but are accepted as part of ANY
structures.

Therefore, if an application deserializes untrusted ASN.1 structures
containing an ANY field, and later reserializes them, an attacker may
be able to trigger an out-of-bounds write. This has been shown to
cause memory corruption that is potentially exploitable with some
malloc implementations.

Applications that parse and re-encode X509 certificates are known to
be vulnerable. Applications that verify RSA signatures on X509
certificates may also be vulnerable; however, only certificates with
valid signatures trigger ASN.1 re-encoding and hence the
bug. Specifically, since OpenSSL's default TLS X509 chain verification
code verifies the certificate chain from root to leaf, TLS handshakes
could only be targeted with valid certificates issued by trusted
Certification Authorities.

OpenSSL 1.0.2 users should upgrade to 1.0.2c
OpenSSL 1.0.1 users should upgrade to 1.0.1o

This vulnerability is a combination of two bugs, neither of which
individually has security impact. The first bug (mishandling of
negative zero integers) was reported to OpenSSL by Huzaifa Sidhpurwala
(Red Hat) and independently by Hanno Böck in April 2015. The second
issue (mishandling of large universal tags) was found using libFuzzer,
and reported on the public issue tracker on March 1st 2016. The fact
that these two issues combined present a security vulnerability was
reported by David Benjamin (Google) on March 31st 2016. The fixes were
developed by Steve Henson of the OpenSSL development team, and David
Benjamin.  The OpenSSL team would also like to thank Mark Brand and
Ian Beer from the Google Project Zero team for their careful analysis
of the impact.

The fix for the "negative zero" memory corruption bug can be
identified by commits

3661bb4e7934668bd99ca777ea8b30eedfafa871 (1.0.2)
and
32d3b0f52f77ce86d53f38685336668d47c5bdfe (1.0.1)

End of quote.


Links to the mentioned commits correcting the "negative zero" memory corruption bug:

1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3661bb4e7934668bd99ca777ea8b30eedfafa871
1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=32d3b0f52f77ce86d53f38685336668d47c5bdfe

The report of the additional problem - mishandling of large universal tags:

https://rt.openssl.org/Ticket/Display.html?id=4364&user=guest&pass=guest

Includes proposed fix and the matching fix that was applied to BoringSSL:

https://boringssl.googlesource.com/boringssl/+/fb2c6f8c8565e1e2d85c24408050c96521acbcdc%5E!/
Comment 1 Tomas Hoger 2016-04-28 13:14:27 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: Huzaifa Sidhpurwala (Red Hat), Hanno Böck, David Benjamin (Google)
Comment 2 Tomas Hoger 2016-04-28 13:17:29 UTC 
Created attachment 1151879 [details]
OpenSSL upstream fix for the second issue
Comment 12 Martin Prpič 2016-05-03 14:19:14 UTC 
External References:

https://openssl.org/news/secadv/20160503.txt
Comment 13 Martin Prpič 2016-05-03 14:27:45 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1332590]
Comment 14 Martin Prpič 2016-05-03 14:27:57 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1332588]
Comment 15 Martin Prpič 2016-05-03 14:28:08 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1332589]
Affects: epel-7 [bug 1332591]
Comment 16 Tomas Hoger 2016-05-04 13:32:18 UTC 
The additional upstream commit preventing creation of structures for negative zero:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=f5da52e308a6aeea6d5f3df98c4da295d7e9cc27
Comment 17 Fedora Update System 2016-05-04 18:51:43 UTC 
openssl-1.0.2h-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Mike Parkin 2016-05-05 07:59:53 UTC 
Given that I am not familiar with every library/program that links to openssl on my server, do I need to consider a reboot after upgrading openssl (because an old version might be kept in memory) or is this taken care of by the operating system for me.

If so can anyone point to some documentation that explains how this works please?
Comment 19 Tomas Hoger 2016-05-05 08:15:17 UTC 
Bugzilla is not a support tool.  Please contact Red Hat Support with questions as the one above.  The following page lists multiple way to reach our Support:

https://access.redhat.com/support/
Comment 20 Fedora Update System 2016-05-07 11:38:53 UTC 
openssl-1.0.2h-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2016-05-09 09:29:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
Comment 22 errata-xmlrpc 2016-05-10 04:20:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
Comment 26 Fedora Update System 2016-05-10 17:52:20 UTC 
openssl-1.0.1k-15.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-05-27 23:16:58 UTC 
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2016-05-31 05:58:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:1137 https://access.redhat.com/errata/RHSA-2016:1137
Comment 33 errata-xmlrpc 2016-10-12 17:00:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.10

Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html
Comment 34 errata-xmlrpc 2016-10-12 17:09:03 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html
Comment 35 errata-xmlrpc 2016-10-12 17:19:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html
Comment 38 errata-xmlrpc 2016-10-18 07:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
Comment 42 errata-xmlrpc 2016-12-15 22:17:15 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
Comment 43 errata-xmlrpc 2017-01-25 20:05:30 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194
Comment 44 errata-xmlrpc 2017-01-25 20:07:01 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193