Bug 1369855 (CVE-2016-6302) - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
Summary: CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
Status: NEW
Alias: CVE-2016-6302
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160823,repor...
Keywords: Security
Depends On: 1381802 1381803 1369858 1369860 1369861 1377623 1377624 1377625 1377626
Blocks: 1367347
TreeView+ depends on / blocked
 
Reported: 2016-08-24 14:37 UTC by Adam Mariš
Modified: 2018-08-16 04:59 UTC (History)
34 users (show)

(edit)
An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1940 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Knowledge Base (Solution) 2662211 None None None 2016-09-28 00:43 UTC
Red Hat Product Errata RHSA-2018:2185 None None None 2018-07-12 16:16 UTC
Red Hat Product Errata RHSA-2018:2186 None None None 2018-07-12 16:14 UTC
Red Hat Product Errata RHSA-2018:2187 None None None 2018-07-12 16:05 UTC

Description Adam Mariš 2016-08-24 14:37:58 UTC
It was found that if a ticket callback changes the HMAC digest to SHA512 the existing sanity checks are not sufficient and an attacker could perform a DoS attack with a malformed ticket.

Upstream patch:

https://github.com/openssl/openssl/commit/1bbe48ab149893a78bf99c8eb8895c928900a16f

Comment 1 Adam Mariš 2016-08-24 14:40:09 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1369861]

Comment 2 Adam Mariš 2016-08-24 14:40:23 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1369858]

Comment 3 Adam Mariš 2016-08-24 14:40:33 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1369860]

Comment 4 Tomas Hoger 2016-09-16 20:55:13 UTC
Support for session tickets / RFC4507, and hence the affected code was introduced in version 0.9.8f.  Therefore openssl packages in Red Hat Enterprise Linux 5 and earlier are not affected.

Comment 5 Tomas Hoger 2016-09-19 12:26:50 UTC
tls_decrypt_ticket() previously checked that the length of the ticket is at least 48 bytes.  There is HMAC value stored at the end of the ticket value.  mlen variable is used to store the length of the mac:

  mlen = HMAC_size(&hctx);

By default, OpenSSL uses SHA-256 for HMAC, or SHA-1 if SHA-256 support is not available.  It does not seem to be using SHA-512 normally.

The length of the mac is subtracted from the ticket length to get the length of the ticket data to protected by HMAC.  The relevant code is:

  eticklen -= mlen;

This is ok for SHA-1 and SHA-256, but can underflow for SHA-512, where mlen is 64.  So eticklen can become negative, and when subsequently passed to HMAC_Update() it's cased to large positive size_t value, leading to buffer long over-read and program crash.

Comment 7 Tomas Hoger 2016-09-22 12:06:02 UTC
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================

Severity: Low

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.

The use of SHA512 in TLS session tickets is comparatively rare as it requires
a custom server callback and ticket lookup mechanism.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt

Comment 8 errata-xmlrpc 2016-09-27 13:54:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html

Comment 10 errata-xmlrpc 2018-07-12 16:04:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187

Comment 11 errata-xmlrpc 2018-07-12 16:14:15 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186

Comment 12 errata-xmlrpc 2018-07-12 16:16:37 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185


Note You need to log in before you can comment on or make changes to this bug.