Bug 1310811 (CVE-2016-0703) - CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
Summary: CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0703
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1301847
TreeView+ depends on / blocked
 
Reported: 2016-02-22 17:20 UTC by Adam Mariš
Modified: 2021-10-21 00:50 UTC (History)
23 users (show)

Fixed In Version: openssl 1.0.2a, openssl 1.0.1m, openssl 1.0.0r, openssl 0.9.8zf
Doc Type: Bug Fix
Doc Text:
It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:50:45 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0303 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:41 UTC
Red Hat Product Errata RHSA-2016:0304 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:45:06 UTC
Red Hat Product Errata RHSA-2016:0306 0 normal SHIPPED_LIVE Important: openssl security update 2016-03-01 19:44:56 UTC
Red Hat Product Errata RHSA-2016:0372 0 normal SHIPPED_LIVE Important: openssl098e security update 2016-03-09 09:08:29 UTC

Description Adam Mariš 2016-02-22 17:20:13 UTC 
Quoting upstream advisory:

This issue only affected versions of OpenSSL prior to March 19th 2015 at which
time the code was refactored to address vulnerability CVE-2015-0293.

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If
clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if an
eavesdropper has intercepted an SSLv2 handshake, they can use the server as an
oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation.

More importantly, this leads to a more efficient version of DROWN that is
effective against non-export ciphersuites, and requires no significant
computation.

This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all
earlier versions.  It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf
(released March 19th 2015).

This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J.
Alex Halderman of the University of Michigan.  The underlying defect had by
then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015.  The fix
for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d
(1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf).
Comment 1 Tomas Mraz 2016-02-23 08:45:14 UTC 
We have the CVE-2015-0293 fix applied.
Comment 2 Tomas Hoger 2016-02-25 20:23:38 UTC 
CVE-2015-0293 is tracked via bug 1202404.  For upstream commit correcting this issue, see bug 1202404 comment 5.
Comment 3 Martin Prpič 2016-02-29 12:34:47 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: David Adrian (University of Michigan), J. Alex Halderman (University of Michigan)
Comment 4 Huzaifa S. Sidhpurwala 2016-03-01 14:14:10 UTC 
External References:

https://www.openssl.org/news/secadv/20160301.txt
Comment 5 errata-xmlrpc 2016-03-01 14:47:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support

Via RHSA-2016:0306 https://rhn.redhat.com/errata/RHSA-2016-0306.html
Comment 6 errata-xmlrpc 2016-03-01 14:48:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2016:0304 https://rhn.redhat.com/errata/RHSA-2016-0304.html
Comment 7 errata-xmlrpc 2016-03-01 14:50:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:0303 https://rhn.redhat.com/errata/RHSA-2016-0303.html
Comment 8 Huzaifa S. Sidhpurwala 2016-03-01 14:56:42 UTC 
Statement:

(none)
Comment 9 errata-xmlrpc 2016-03-09 04:09:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:0372 https://rhn.redhat.com/errata/RHSA-2016-0372.html
Comment 10 Harkanwal 2016-06-13 06:23:39 UTC 
By any chance these fixes will be available for centos distribution (6). Any ETA for same.

Thanks
Comment 11 Harkanwal 2016-09-09 06:01:20 UTC 
Gentle reminder, any information on when the fix would be available in centos 6 distribution
Comment 12 Tomas Mraz 2016-09-09 08:02:39 UTC 
If you look at the changelog of the current openssl in CentOS you can see there is fix for CVE-2015-0293 which means this package is not vulnerable to CVE-2016-0703.
Comment 13 Harkanwal 2016-09-09 08:10:17 UTC 
(In reply to Tomas Mraz from comment #12)
> If you look at the changelog of the current openssl in CentOS you can see
> there is fix for CVE-2015-0293 which means this package is not vulnerable to
> CVE-2016-0703.

Thanks Tomas, If you also provide insight on CVE-2016-0704.  Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814

i would be grateful.
Comment 14 Harkanwal 2016-09-09 08:11:02 UTC 
(In reply to Tomas Mraz from comment #12)
> If you look at the changelog of the current openssl in CentOS you can see
> there is fix for CVE-2015-0293 which means this package is not vulnerable to
> CVE-2016-0703.

Thanks Tomas, If you also provide insight on CVE-2016-0704.  Bugzila link --> https://bugzilla.redhat.com/show_bug.cgi?id=1310814

i would be grateful.
Note You need to log in before you can comment on or make changes to this bug.