Bug 1369855 (CVE-2016-6302) - CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
Summary: CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-6302
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1369858 1369860 1369861 1377623 1377624 1377625 1377626 1381802 1381803
Blocks: 1367347
TreeView+ depends on / blocked
 
Reported: 2016-08-24 14:37 UTC by Adam Mariš
Modified: 2021-02-17 03:25 UTC (History)
34 users (show)

Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:57:52 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2662211 0 None None None 2016-09-28 00:43:12 UTC
Red Hat Product Errata RHSA-2016:1940 0 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Product Errata RHSA-2018:2185 0 None None None 2018-07-12 16:16:49 UTC
Red Hat Product Errata RHSA-2018:2186 0 None None None 2018-07-12 16:14:27 UTC
Red Hat Product Errata RHSA-2018:2187 0 None None None 2018-07-12 16:05:10 UTC

Description Adam Mariš 2016-08-24 14:37:58 UTC 
It was found that if a ticket callback changes the HMAC digest to SHA512 the existing sanity checks are not sufficient and an attacker could perform a DoS attack with a malformed ticket.

Upstream patch:

https://github.com/openssl/openssl/commit/1bbe48ab149893a78bf99c8eb8895c928900a16f
Comment 1 Adam Mariš 2016-08-24 14:40:09 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1369861]
Comment 2 Adam Mariš 2016-08-24 14:40:23 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1369858]
Comment 3 Adam Mariš 2016-08-24 14:40:33 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1369860]
Comment 4 Tomas Hoger 2016-09-16 20:55:13 UTC 
Support for session tickets / RFC4507, and hence the affected code was introduced in version 0.9.8f.  Therefore openssl packages in Red Hat Enterprise Linux 5 and earlier are not affected.
Comment 5 Tomas Hoger 2016-09-19 12:26:50 UTC 
tls_decrypt_ticket() previously checked that the length of the ticket is at least 48 bytes.  There is HMAC value stored at the end of the ticket value.  mlen variable is used to store the length of the mac:

  mlen = HMAC_size(&hctx);

By default, OpenSSL uses SHA-256 for HMAC, or SHA-1 if SHA-256 support is not available.  It does not seem to be using SHA-512 normally.

The length of the mac is subtracted from the ticket length to get the length of the ticket data to protected by HMAC.  The relevant code is:

  eticklen -= mlen;

This is ok for SHA-1 and SHA-256, but can underflow for SHA-512, where mlen is 64.  So eticklen can become negative, and when subsequently passed to HMAC_Update() it's cased to large positive size_t value, leading to buffer long over-read and program crash.
Comment 7 Tomas Hoger 2016-09-22 12:06:02 UTC 
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Malformed SHA512 ticket DoS (CVE-2016-6302)
===========================================

Severity: Low

If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
DoS attack where a malformed ticket will result in an OOB read which will
ultimately crash.

The use of SHA512 in TLS session tickets is comparatively rare as it requires
a custom server callback and ticket lookup mechanism.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 19th August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt
Comment 8 errata-xmlrpc 2016-09-27 13:54:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
Comment 10 errata-xmlrpc 2018-07-12 16:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
Comment 11 errata-xmlrpc 2018-07-12 16:14:15 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
Comment 12 errata-xmlrpc 2018-07-12 16:16:37 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185
Note You need to log in before you can comment on or make changes to this bug.