Bug 1683804 (CVE-2019-1559)

Summary: CVE-2019-1559 openssl: 0-byte record padding oracle
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, bmcclain, cfeng, dawwu, dblechte, dchong, dereed, dfediuck, eedri, hkario, lersek, mgoldboi, michal.skrivanek, nbhumkar, philmd, rdlugyhe, sbonazzo, sherold, szidek, tmraz, tsorense, yozone, ysoni, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.2r Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:20:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1683805, 1683806, 1683807, 1683808, 1683962, 1683963, 1684986, 1684987, 1709065, 1712021, 1718148, 1803226, 1803227, 1803228    
Bug Blocks: 1683809    

Description Laura Pardo 2019-02-27 21:01:45 UTC 
A vulnerability was found in OpenSSL 1.0.2. When an application encounters a fatal protocol error and then calls SSL_shutdown() twice, OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. This difference in behaviour can be detected by a remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0.


Upstream bug:
https://www.openssl.org/news/secadv/20190226.txt

Upstream Patch:
https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
Comment 1 Laura Pardo 2019-02-27 21:02:11 UTC 
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1683808]


Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1683806]
Affects: fedora-all [bug 1683805]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1683807]
Comment 2 Huzaifa S. Sidhpurwala 2019-02-28 06:17:25 UTC 
Note: https://github.com/RUB-NDS/TLS-Padding-Oracles
Comment 3 Huzaifa S. Sidhpurwala 2019-02-28 08:10:45 UTC 
This is essentially a padding oracle flaw, which needs the following conditions for exploitation:

1. Non-stitched cipher suites are used. (https://software.intel.com/en-us/articles/improving-openssl-performance talks about stitching cipher suites)
2. AES-NI is not used.
3. Applications must call SSL_shutdown() twice even if a protocol error has occurred 
4. The attacker must be able to run a script in the victim's browser which sends requests to a vulnerable website. This can be achieved tempting the victim to visit a malicious website. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle.
Comment 4 Huzaifa S. Sidhpurwala 2019-02-28 08:10:53 UTC 
External References:

https://www.openssl.org/news/secadv/20190226.txt
https://github.com/RUB-NDS/TLS-Padding-Oracles
Comment 13 Joshua Padman 2019-05-15 22:48:12 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Web Server 3 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 23 errata-xmlrpc 2019-08-06 12:38:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2304 https://access.redhat.com/errata/RHSA-2019:2304
Comment 24 Product Security DevOps Team 2019-08-06 19:20:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1559
Comment 25 errata-xmlrpc 2019-08-12 11:54:15 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2437
Comment 26 errata-xmlrpc 2019-08-12 11:54:44 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439
Comment 27 errata-xmlrpc 2019-08-13 14:59:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2471 https://access.redhat.com/errata/RHSA-2019:2471
Comment 28 errata-xmlrpc 2019-11-20 16:04:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931
Comment 29 errata-xmlrpc 2019-11-20 16:07:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.2 on RHEL 7
  Red Hat JBoss Web Server 5.2 on RHEL 6
  Red Hat JBoss Web Server 5.2 on RHEL 8

Via RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929
Comment 31 Huzaifa S. Sidhpurwala 2020-03-31 03:10:40 UTC 
Statement:

1 For this issue to be exploitable, the (server) application using the OpenSSL library needs to use it incorrectly.
2. There are multiple other requirements for the attack to succeed: 
    - The ciphersuite used must be obsolete CBC cipher without a stitched implementation (or the system be in FIPS mode)
    - the attacker has to be a MITM
    - the attacker has to be able to control the client side to send requests to the buggy server on demand
Comment 32 Huzaifa S. Sidhpurwala 2020-03-31 03:12:34 UTC 
Mitigation:

As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.