Bug 1310811 (CVE-2016-0703) - CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
Summary: CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
Keywords:
Status: NEW
Alias: CVE-2016-0703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1301847
TreeView+ depends on / blocked
 
Reported: 2016-02-22 17:20 UTC by Adam Mariš
Modified: 2019-09-29 13:44 UTC (History)
27 users (show)

Fixed In Version: openssl 1.0.2a, openssl 1.0.1m, openssl 1.0.0r, openssl 0.9.8zf
Doc Type: Bug Fix
Doc Text:
It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0303 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:41 UTC
Red Hat Product Errata RHSA-2016:0304 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:06 UTC
Red Hat Product Errata RHSA-2016:0306 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:44:56 UTC
Red Hat Product Errata RHSA-2016:0372 normal SHIPPED_LIVE Important: openssl098e security update 2016-03-09 09:08:29 UTC

Description Adam Mariš 2016-02-22 17:20:13 UTC
Quoting upstream advisory:

This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address vulnerability CVE-2015-0293.

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation.

More importantly, this leads to a more efficient version of DROWN that is
effective against non-export ciphersuites, and requires no significant
computation.

This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.  It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).

This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan.  The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015.  The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).

Comment 1 Tomas Mraz 2016-02-23 08:45:14 UTC
We have the CVE-2015-0293 fix applied.

Comment 2 Tomas Hoger 2016-02-25 20:23:38 UTC
CVE-2015-0293 is tracked via bug 1202404.  For upstream commit correcting this issue, see bug 1202404 comment 5.

Comment 3 Martin Prpič 2016-02-29 12:34:47 UTC
Acknowledgments:

Name: the OpenSSL project
Upstream: David Adrian (University of Michigan), J. Alex Halderman (University of Michigan)

Comment 4 Huzaifa S. Sidhpurwala 2016-03-01 14:14:10 UTC
External References:

https://www.openssl.org/news/secadv/20160301.txt

Comment 5 errata-xmlrpc 2016-03-01 14:47:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support

Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html

Comment 6 errata-xmlrpc 2016-03-01 14:48:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html

Comment 7 errata-xmlrpc 2016-03-01 14:50:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html

Comment 8 Huzaifa S. Sidhpurwala 2016-03-01 14:56:42 UTC
Statement:

(none)

Comment 9 errata-xmlrpc 2016-03-09 04:09:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html

Comment 10 Harkanwal 2016-06-13 06:23:39 UTC
By any chance these fixes will be available for centos distribution (6). Any ETA for same.

Thanks

Comment 11 Harkanwal 2016-09-09 06:01:20 UTC
Gentle reminder, any information on when the fix would be available in centos 6 distribution

Comment 12 Tomas Mraz 2016-09-09 08:02:39 UTC
If you look at the changelog of the current openssl in CentOS you can see there is fix for CVE-2015-0293 which means this package is not vulnerable to CVE-2016-0703.

Comment 13 Harkanwal 2016-09-09 08:10:17 UTC
(In reply to Tomas Mraz from comment #12)
> If you look at the changelog of the current openssl in CentOS you can see
> there is fix for CVE-2015-0293 which means this package is not vulnerable to
> CVE-2016-0703.

Thanks Tomas, If you also provide insight on CVE-2016-0704.  Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814

i would be grateful.

Comment 14 Harkanwal 2016-09-09 08:11:02 UTC
(In reply to Tomas Mraz from comment #12)
> If you look at the changelog of the current openssl in CentOS you can see
> there is fix for CVE-2015-0293 which means this package is not vulnerable to
> CVE-2016-0703.

Thanks Tomas, If you also provide insight on CVE-2016-0704.  Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814

i would be grateful.


Note You need to log in before you can comment on or make changes to this bug.