Red Hat Bugzilla – Bug 104893
CAN-2003-0543/0544 OpenSSL ASN.1 protocol crashes
Last modified: 2009-05-15 07:02:46 EDT
Notified via NISCC on Sep12, NISCC 006489
CAN-2003-0543 OpenSSL 0.96/0.97 ASN.1 int overflow
CAN-2003-0544 OpenSSL 0.96/0.97 ASN.1 read one character
NISCC found two bugs in OpenSSL 0.9.6 which can be triggered by sending a
carefully crafted SSL client certificate containing an unusual ASN.1 tag
value, such a certificate, could cause an application using OpenSSL to terminate
RHSA-2003:293 in progress
Embargoed until November 4th 2003.
Actually this is embargoed until September 30th not November 4th (my mistake).
A better description of the issues:
NISCC testing of implementations of the SSL protocol uncovered two bugs in
OpenSSL 0.9.6 and OpenSSL 0.9.7. The parsing of unusual ASN.1 tag values
can cause OpenSSL to crash. A remote attacker could trigger this bug by
sending a carefully-crafted SSL client certificate to an application. The
effects of such an attack vary depending on the application targetted;
against Apache the effects are limited, as the attack would only cause
child processes to die and be replaced. An attack against other
applications that use OpenSSL could result in a Denial of Service. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the names CAN-2003-0543 and CAN-2003-0544 to this issue.
[CAN-2003-0543 is the fix that prevents the tag from overflowing an int.
CAN-2003-0544 is the fix that decrements the number of characters which can be
read when the final long form octet is read. Without this it can read one
character past end of buffer whenever the long form is used.]
NISCC testing of implementations of the SSL protocol uncovered an
additional bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected
as invalid by the parser can trigger a bug in deallocation of a structure,
leading to a double free. A remote attacker could trigger this bug by
sending a carefully-crafted SSL client certificate to an application. It
may be possible for an attacker to exploit this issue to execute arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0545 to this issue.
This will be RHSA-2003:293
was released shortly after 1200UTC on 30th September.
Making this bug public.
More details from the CERT VU#935264, OpenSSL "secadv_20030930.txt" upstream advisory (http://www.kb.cert.org/vuls/id/935264,
advisory for the CAN/CVE-2003-0545 issue:
1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.
The CAN-2003-0545 (currently known as CVE-2003-0545) issue does NOT
affect the versions of the openssl096 package, as shipped with Red Hat
Enterprise Linux 2.1, 3, and 4.