Bug 1384743 - (CVE-2016-8610) CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161024,repor...
: Security
Depends On: 1392664 1388725 1388726 1388727 1388728 1388729 1388730 1392663 1392708 1418964 1418965 1418966
Blocks: 1384749 1386080 1446026 1457678 1461790 1479475
  Show dependency treegraph
 
Reported: 2016-10-13 23:49 EDT by Huzaifa S. Sidhpurwala
Modified: 2018-01-30 18:26 EST (History)
40 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-10-13 23:49:42 EDT
A flaw was found in the way OpenSSL processed ALERT packets during an SSL handshake. A attacker basically sends a large number of plaintext WARNING pkgs after CLIENTHELLO, which causes OpenSSL to go into a endless loop (while the attacker keeps on sending more alert packets), consequently taking 100% CPU. This may cause certain applications compiled against OpenSSL to hang and may not be able to serve content to the clients. This is specially true about for servers which do not for or allocate extra thread for the processing of ClientHello like nginx. 

This is fixed in OpenSSL upstream commit via:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401
Comment 6 Huzaifa S. Sidhpurwala 2016-10-20 02:46:00 EDT
CVE-2016-8610 was assigned to this issue.
Comment 7 Nikos Mavrogiannopoulos 2016-10-20 02:49:38 EDT
The same issue may also affect gnutls servers. However, as gnutls delegates the burden of warning alerts to the application, there may be servers not vulnerable. I think the openssl fix of adding a maximum number of received handshakes is reasonable and there is already a similar at gnutls.

https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e
Comment 8 Huzaifa S. Sidhpurwala 2016-10-24 10:02:47 EDT
Statement:

This flaw affects applications that are compiled against OpenSSL or GnuTLS and do not allocate an extra thread for processing ClientHello messages. Nginx is affected by this issue; Apache httpd is not affected by this issue. This issue has been rated as having a security impact of Moderate. It requires an attacker to send a very large amount of SSL ALERT messages to the host network connection. This issue can also be mitigated by configuring firewalls to limit the number of connections per IP address, or use deep packet inspection to reject these type of alert packets. A future update may address this issue.
Comment 9 Huzaifa S. Sidhpurwala 2016-10-24 23:12:40 EDT
Public via:

http://seclists.org/oss-sec/2016/q4/224
Comment 10 Huzaifa S. Sidhpurwala 2016-10-25 01:18:47 EDT
Notes:

1.  All nginx versions with SSL support compiled in and openssl 1.0.1*, <=1.0.2i, <=1.1.0a are affected.

2.  To provide a complete single nginx worker lockup an attacker should be able to provide a rather big SSL ALERT messages flow comparable to the host network connection bandwidth, which is often difficult to achieve.

3. This type of attack can be controlled by various means on the network layer for example by configuring firewalls to limit number of connections per ip address, use deep packet inspection to reject these type of alert packets etc.
Comment 14 Huzaifa S. Sidhpurwala 2016-10-25 23:24:32 EDT
External Reference:

http://security.360.cn/cve/CVE-2016-8610
Comment 15 Huzaifa S. Sidhpurwala 2016-10-25 23:35:10 EDT
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1388728]
Comment 16 Huzaifa S. Sidhpurwala 2016-10-25 23:35:20 EDT
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1388727]
Comment 17 Huzaifa S. Sidhpurwala 2016-10-25 23:35:26 EDT
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1388725]
Comment 18 Huzaifa S. Sidhpurwala 2016-10-25 23:35:32 EDT
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1388726]
Comment 27 errata-xmlrpc 2017-02-20 05:56:34 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:0286 https://rhn.redhat.com/errata/RHSA-2017-0286.html
Comment 29 errata-xmlrpc 2017-03-21 05:04:20 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0574 https://rhn.redhat.com/errata/RHSA-2017-0574.html
Comment 30 Martin Prpič 2017-06-06 10:59:41 EDT
Acknowledgments:

Name: Shi Lei (Gear Team of Qihoo 360 Inc.)
Comment 31 errata-xmlrpc 2017-06-07 13:44:27 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415
Comment 32 errata-xmlrpc 2017-06-07 13:56:04 EDT
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414
Comment 33 errata-xmlrpc 2017-06-07 13:58:46 EDT
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413
Comment 35 errata-xmlrpc 2017-06-28 16:02:20 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659
Comment 36 errata-xmlrpc 2017-06-28 16:21:21 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658
Comment 37 errata-xmlrpc 2017-08-21 11:25:55 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2

Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
Comment 38 errata-xmlrpc 2017-08-21 11:34:44 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493

Note You need to log in before you can comment on or make changes to this bug.