1118169 – (CVE-2014-2970) CVE-2014-2970 openssl: client-crash when parsing SRP parameters (VU#904060)

Bug 1118169 (CVE-2014-2970) - CVE-2014-2970 openssl: client-crash when parsing SRP parameters (VU#904060)

Summary: CVE-2014-2970 openssl: client-crash when parsing SRP parameters (VU#904060)

Keywords:
Status:	CLOSED DUPLICATE of bug 1127491
Alias:	CVE-2014-2970
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1118171 1127468
TreeView+	depends on / blocked

Reported:	2014-07-10 06:36 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-02-17 06:24 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-07-10 08:36:06 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2014-07-10 06:36:46 UTC

A flaw was found in the way OpenSSL (client side code) parsed TLS SRP extension packets. The ServerHello indicated that it intended to use SRP ciphersuite, but SRP parameters were omitted. When a client connectected to such a server, which offered SRP ciphersuites, this could cause the client to crash.


Acknowledgements:

Red Hat would like to thank the CERT Coordination Center (CERT/CC) for reporting this issue.

Comment 4 Huzaifa S. Sidhpurwala 2014-07-10 08:30:21 UTC

The version of openssl as shipped with Red Hat Enterprise Linux 5, 6, and 7 does not support the Secure Remote Password (SRP) protocol as an authentication method for the Transport Layer Security protocol and therefore is not affected.

Comment 5 Huzaifa S. Sidhpurwala 2014-07-10 08:31:01 UTC

This issue does not affect the version of openssl as shipped with Fedora 19 and Fedora 20.

Comment 6 Tomas Hoger 2014-08-07 06:10:03 UTC

Public now via upstream commit:

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=80bd7b41b30af6ee96f519e629463583318de3b0

It seems this issue got another duplicate CVE id CVE-2014-5139 (bug 1127491) assigned to this issue by OpenSSL upstream.

Comment 7 Tomas Hoger 2014-08-07 06:31:20 UTC

Note that SRP support was introduced upstream in version 1.0.1.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=edc032b
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0deea0e

Comment 8 Tomas Hoger 2014-08-07 07:42:14 UTC

CVE-2014-2970 was also incorrectly used to refer to the LibreSSL PRNG re-seeding issue described in:

https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux/

Because of the incorrect use, the id has already been rejected as duplicate:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2970

  ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139.
  Reason: This candidate is a duplicate of CVE-2014-5139, and has also been
  used to refer to an unrelated topic that is currently outside the scope of
  CVE. This unrelated topic is a LibreSSL code change adding functionality
  for certain process-bifurcation use cases that might arise in future
  LibreSSL-based applications. There is no CVE ID associated with this
  LibreSSL code change. As of 20140730, CVE-2014-5139 is an undisclosed
  vulnerability in a different product, with ongoing vulnerability
  coordination that had previously used the CVE-2014-2970 ID.

Comment 9 Tomas Hoger 2014-08-07 07:43:43 UTC


*** This bug has been marked as a duplicate of bug 1127491 ***

Note You need to log in before you can comment on or make changes to this bug.