Bug 1683804 (CVE-2019-1559) - CVE-2019-1559 openssl: 0-byte record padding oracle
Summary: CVE-2019-1559 openssl: 0-byte record padding oracle
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1559
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1683805 1683806 1683807 1683808 1683962 1683963 1684986 1684987 1709065 1712021 1718148
Blocks: 1683809
TreeView+ depends on / blocked
 
Reported: 2019-02-27 21:01 UTC by Laura Pardo
Modified: 2019-09-29 15:08 UTC (History)
23 users (show)

Fixed In Version: openssl 1.0.2r
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2304 None None None 2019-08-06 12:38:43 UTC
Red Hat Product Errata RHSA-2019:2437 None None None 2019-08-12 11:54:17 UTC
Red Hat Product Errata RHSA-2019:2439 None None None 2019-08-12 11:54:47 UTC
Red Hat Product Errata RHSA-2019:2471 None None None 2019-08-13 14:59:03 UTC

Description Laura Pardo 2019-02-27 21:01:45 UTC
A vulnerability was found in OpenSSL 1.0.2. When an application encounters a fatal protocol error and then calls SSL_shutdown() twice, OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. This difference in behaviour can be detected by a remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0.


Upstream bug:
https://www.openssl.org/news/secadv/20190226.txt

Upstream Patch:
https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e

Comment 1 Laura Pardo 2019-02-27 21:02:11 UTC
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1683808]


Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1683806]
Affects: fedora-all [bug 1683805]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1683807]

Comment 2 Huzaifa S. Sidhpurwala 2019-02-28 06:17:25 UTC
Note: https://github.com/RUB-NDS/TLS-Padding-Oracles

Comment 3 Huzaifa S. Sidhpurwala 2019-02-28 08:10:45 UTC
This is essentially a padding oracle flaw, which needs the following conditions for exploitation:

1. Non-stitched cipher suites are used. (https://software.intel.com/en-us/articles/improving-openssl-performance talks about stitching cipher suites)
2. AES-NI is not used.
3. Applications must call SSL_shutdown() twice even if a protocol error has occurred 
4. The attacker must be able to run a script in the victim's browser which sends requests to a vulnerable website. This can be achieved tempting the victim to visit a malicious website. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle.

Comment 4 Huzaifa S. Sidhpurwala 2019-02-28 08:10:53 UTC
External References:

https://www.openssl.org/news/secadv/20190226.txt
https://github.com/RUB-NDS/TLS-Padding-Oracles

Comment 13 Joshua Padman 2019-05-15 22:48:12 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Web Server 3 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 23 errata-xmlrpc 2019-08-06 12:38:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2304 https://access.redhat.com/errata/RHSA-2019:2304

Comment 24 Product Security DevOps Team 2019-08-06 19:20:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1559

Comment 25 errata-xmlrpc 2019-08-12 11:54:15 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2437

Comment 26 errata-xmlrpc 2019-08-12 11:54:44 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439

Comment 27 errata-xmlrpc 2019-08-13 14:59:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2471 https://access.redhat.com/errata/RHSA-2019:2471


Note You need to log in before you can comment on or make changes to this bug.