Bug 834062 (CVE-2011-5095)

Summary: CVE-2011-5095 openssl: weak public value accepted during Diffie Hellman key exchange
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: knoha, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-22 15:13:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 834066    

Description Vincent Danen 2012-06-20 18:12:16 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5095 to
the following vulnerability:

Name: CVE-2011-5095
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5095
Assigned: 20120620
Reference: http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
Reference: http://www.nessus.org/plugins/index.php?view=single&id=53360
Reference: https://discussions.nessus.org/thread/3381

The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when
FIPS mode is enabled, does not properly validate a public parameter,
which makes it easier for man-in-the-middle attackers to obtain the
shared secret key by modifying network traffic, a related issue to
CVE-2011-1923.
Comment 1 Tomas Mraz 2012-06-20 18:38:18 UTC 
Note that this bug is fixed in the openssl package since 0.9.8e-20.el5 version.
It is not fixed in the compat openssl098e package in RHEL-6 as it was not a serious problem.
Comment 2 Tomas Mraz 2012-06-20 18:39:25 UTC 
See bug 698175.
Comment 3 Vincent Danen 2012-06-20 21:38:57 UTC 
Tomas, thanks for that.  That means for RHEL5 this was addressed via http://rhn.redhat.com/errata/RHBA-2011-1010.html.

We'll defer this for RHEL6's openssl098e package.  Does this also mean that openssl097a is not affected?
Comment 4 Tomas Mraz 2012-06-21 08:31:39 UTC 
Actually openssl097a is affected - the dh key check is not there at all.
Comment 5 Tomas Hoger 2012-06-22 15:13:17 UTC 
(In reply to comment #4)
> Actually openssl097a is affected - the dh key check is not there at all.

It seems DH_check_pub_key was introduced in 0.9.8a:
  http://cvs.openssl.org/chngview?cn=14375

As noted above, this is fixed in current Red Hat Enterprise Linux 5 and 6 openssl packages.  There is no plan to add the fix to older Red Hat Enterprise Linux versions already in the Extended Life Phase, or in the compat packages.

This is not handled as a security flaw, as as indicated in the above comments and in bug 698175, this may cause SSL/TLS client or server to accept weak DH public value during the DH key exchange, but it's not sufficient by itself to conduct MITM attack.

Statement:

This issue was addressed in Red Hat Enterprise Linux 5 openssl packages via RHBA-2011:1010, bug 698175. It did not affect openssl packages shipped with Red Hat Enterprise Linux 6.