Bug 1369855 (CVE-2016-6302)

Summary: CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, erik-fedora, gzaronik, jaeshin, jawilson, jclere, ktietz, lersek, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, slawomir, tmraz, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1u, openssl 1.0.2i Doc Type: If docs needed, set a value
Doc Text:
An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:57:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1369858, 1369860, 1369861, 1377623, 1377624, 1377625, 1377626, 1381802, 1381803    
Bug Blocks: 1367347    

Description Adam Mariš 2016-08-24 14:37:58 UTC 
It was found that if a ticket callback changes the HMAC digest to SHA512 the existing sanity checks are not sufficient and an attacker could perform a DoS attack with a malformed ticket.

Upstream patch:

https://github.com/openssl/openssl/commit/1bbe48ab149893a78bf99c8eb8895c928900a16f
Comment 1 Adam Mariš 2016-08-24 14:40:09 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1369861]
Comment 2 Adam Mariš 2016-08-24 14:40:23 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1369858]
Comment 3 Adam Mariš 2016-08-24 14:40:33 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1369860]
Comment 4 Tomas Hoger 2016-09-16 20:55:13 UTC 
Support for session tickets / RFC4507, and hence the affected code was introduced in version 0.9.8f.  Therefore openssl packages in Red Hat Enterprise Linux 5 and earlier are not affected.
Comment 5 Tomas Hoger 2016-09-19 12:26:50 UTC 
tls_decrypt_ticket() previously checked that the length of the ticket is at least 48 bytes.  There is HMAC value stored at the end of the ticket value.  mlen variable is used to store the length of the mac:

  mlen = HMAC_size(&hctx);

By default, OpenSSL uses SHA-256 for HMAC, or SHA-1 if SHA-256 support is not available.  It does not seem to be using SHA-512 normally.

The length of the mac is subtracted from the ticket length to get the length of the ticket data to protected by HMAC.  The relevant code is:

  eticklen -= mlen;

This is ok for SHA-1 and SHA-256, but can underflow for SHA-512, where mlen is 64.  So eticklen can become negative, and when subsequently passed to HMAC_Update() it's cased to large positive size_t value, leading to buffer long over-read and program crash.
Comment 7 Tomas Hoger 2016-09-22 12:06:02 UTC 
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================

Severity: Low

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.

The use of SHA512 in TLS session tickets is comparatively rare as it requires
a custom server callback and ticket lookup mechanism.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt
Comment 8 errata-xmlrpc 2016-09-27 13:54:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
Comment 10 errata-xmlrpc 2018-07-12 16:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
Comment 11 errata-xmlrpc 2018-07-12 16:14:15 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
Comment 12 errata-xmlrpc 2018-07-12 16:16:37 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185