Bug 1087195 (CVE-2010-5298) - CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free
Summary: CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-5298
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1096233 1096234 1103604 1103605 1103632 1103633 1103741 1104349 1104350 1127889
Blocks: 1087207 1103601
TreeView+ depends on / blocked
 
Reported: 2014-04-14 06:21 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 06:41 UTC (History)
46 users (show)

Fixed In Version: openssl 1.0.1h, openssl 1.0.0m
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-11 05:19:46 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0625 0 normal SHIPPED_LIVE Important: openssl security update 2014-06-05 15:50:21 UTC
Red Hat Product Errata RHSA-2014:0628 0 normal SHIPPED_LIVE Important: openssl security update 2014-06-05 16:12:30 UTC
Red Hat Product Errata RHSA-2014:0679 0 normal SHIPPED_LIVE Important: openssl security update 2014-06-10 16:23:51 UTC

Description Huzaifa S. Sidhpurwala 2014-04-14 06:21:04 UTC
The following security advisory was reported by OpenBSD:

OpenBSD 5.4 errata 8, Apr 12, 2014:  A use-after-free race condition in OpenSSL's read buffer may permit an attacker to inject data from one connection into another.

Reference:

http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/008_openssl.patch
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse

Comment 1 Huzaifa S. Sidhpurwala 2014-04-14 06:48:51 UTC
Analysis:

openssl does its own memory management and maintains a LIFO freelist of buffers available.

In ssl3_read_bytes(), it released buffer even if there is some data available inside it.

Later in s3_pkt.c:1058, ssl3_release_read_buffer() is called to allocate another buffer. In a single threaded application the same buffer would be allocated and openssl continues to read valid data from it.

However in a multi-thread context or when openssl is compiled with OPENSSL_NO_BUF_FREELISTS which makes it uses system memory management, when a buffer is re-malloced, the old data is gone, at this point openssl bails out and TLS session is broken.

I don't think this is exploitable. Could be exploitable only if the re-malloced buffer is not initialized and sent out on the wire, but I don't see that happening anywhere.

Comment 2 Tomas Mraz 2014-04-14 08:55:10 UTC
I don't think this is exploitable. The concurrent thread (if using the data properly) would not reuse the buffer contents and will overwrite it with its own ciphertext data. This will cause parsing error in the original thread when it will try to read the data later.

Comment 3 Tomas Hoger 2014-04-14 20:46:14 UTC
CVE-2010-5298 was assigned to this issue.

Comment 7 Tomas Hoger 2014-05-09 13:24:21 UTC
The support for freelist was introduced as part of the "Memory saving patch" added in OpenSSL version 1.0.0:

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8671b89

Therefore, this issue does not affect openssl packages in Red Hat Enterprise Linux 5 or earlier, that are based on upstream version 0.9.8 and earlier and does not contain affected code.

This problem can only occur when application enables SSL_MODE_RELEASE_BUFFERS mode, which is not the default.  As noted in bug 1093837 comment 1, few applications shipped as part of Red Hat Enterprise Linux 6 do so.  Additionally, single-threaded applications using this mode are usually not affected either.

The buffer re-used is read buffer where packet data is stored.  If the TLS/SSL connection is already established and encrypted data is expected, encrypted data from different concurrent TLS/SSL would not decrypt successfully.  Data re-use during handshake may proceed further, but TLS/SSL already contains mechanisms to prevent handshake from completing if any data is injected.

There currently does not seem to be any reports to indicate conditions under which this can have worse impact than aborted connection.

Comment 8 Tomas Hoger 2014-05-09 13:49:26 UTC
Statement:

This issue did not affect the openssl packages shipped with Red Hat Enterprise Linux 5.

Comment 9 Tomas Hoger 2014-05-09 13:53:28 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096233]

Comment 10 Tomas Hoger 2014-05-09 13:53:38 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096234]

Comment 15 Tomas Hoger 2014-06-05 11:44:15 UTC
Fixed upstream in OpenSSL 1.0.1h and 1.0.0m.

External References:

https://www.openssl.org/news/secadv_20140605.txt

Comment 16 errata-xmlrpc 2014-06-05 11:53:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html

Comment 17 errata-xmlrpc 2014-06-05 12:15:47 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html

Comment 18 Fedora Update System 2014-06-05 21:53:39 UTC
openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2014-06-05 21:54:34 UTC
openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 errata-xmlrpc 2014-06-10 12:25:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html


Note You need to log in before you can comment on or make changes to this bug.