Bug 1384743 (CVE-2016-8610) - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
Summary: CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-8610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1388725 1388726 1388727 1388728 1388729 1388730 1392663 1392664 1392708 1418964 1418965 1418966
Blocks: 1384749 1386080 1446026 1457678 1461790 1479475
TreeView+ depends on / blocked
 
Reported: 2016-10-14 03:49 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-17 03:11 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:00:03 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0286 0 normal SHIPPED_LIVE Moderate: openssl security update 2017-02-20 15:56:13 UTC
Red Hat Product Errata RHSA-2017:0574 0 normal SHIPPED_LIVE Moderate: gnutls security, bug fix, and enhancement update 2017-03-21 12:23:04 UTC
Red Hat Product Errata RHSA-2017:1413 0 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7 2017-06-07 21:54:35 UTC
Red Hat Product Errata RHSA-2017:1414 0 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6 2017-06-07 21:54:17 UTC
Red Hat Product Errata RHSA-2017:1415 0 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 2017-06-07 21:43:43 UTC
Red Hat Product Errata RHSA-2017:1658 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update 2017-06-29 00:20:17 UTC
Red Hat Product Errata RHSA-2017:1659 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update 2017-06-28 23:59:52 UTC
Red Hat Product Errata RHSA-2017:2493 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2 security update 2017-08-21 19:33:48 UTC
Red Hat Product Errata RHSA-2017:2494 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2 security update 2017-08-21 19:22:58 UTC

Description Huzaifa S. Sidhpurwala 2016-10-14 03:49:42 UTC
A flaw was found in the way OpenSSL processed ALERT packets during an SSL handshake. A attacker basically sends a large number of plaintext WARNING pkgs after CLIENTHELLO, which causes OpenSSL to go into a endless loop (while the attacker keeps on sending more alert packets), consequently taking 100% CPU. This may cause certain applications compiled against OpenSSL to hang and may not be able to serve content to the clients. This is specially true about for servers which do not for or allocate extra thread for the processing of ClientHello like nginx. 

This is fixed in OpenSSL upstream commit via:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401

Comment 6 Huzaifa S. Sidhpurwala 2016-10-20 06:46:00 UTC
CVE-2016-8610 was assigned to this issue.

Comment 7 Nikos Mavrogiannopoulos 2016-10-20 06:49:38 UTC
The same issue may also affect gnutls servers. However, as gnutls delegates the burden of warning alerts to the application, there may be servers not vulnerable. I think the openssl fix of adding a maximum number of received handshakes is reasonable and there is already a similar at gnutls.

https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e

Comment 8 Huzaifa S. Sidhpurwala 2016-10-24 14:02:47 UTC
Statement:

This flaw affects applications that are compiled against OpenSSL or GnuTLS and do not allocate an extra thread for processing ClientHello messages. Nginx is affected by this issue; Apache httpd is not affected by this issue. This issue has been rated as having a security impact of Moderate. It requires an attacker to send a very large amount of SSL ALERT messages to the host network connection. This issue can also be mitigated by configuring firewalls to limit the number of connections per IP address, or use deep packet inspection to reject these type of alert packets. A future update may address this issue.

Comment 9 Huzaifa S. Sidhpurwala 2016-10-25 03:12:40 UTC
Public via:

http://seclists.org/oss-sec/2016/q4/224

Comment 10 Huzaifa S. Sidhpurwala 2016-10-25 05:18:47 UTC
Notes:

1.  All nginx versions with SSL support compiled in and openssl 1.0.1*, <=1.0.2i, <=1.1.0a are affected.

2.  To provide a complete single nginx worker lockup an attacker should be able to provide a rather big SSL ALERT messages flow comparable to the host network connection bandwidth, which is often difficult to achieve.

3. This type of attack can be controlled by various means on the network layer for example by configuring firewalls to limit number of connections per ip address, use deep packet inspection to reject these type of alert packets etc.

Comment 14 Huzaifa S. Sidhpurwala 2016-10-26 03:24:32 UTC
External Reference:

http://security.360.cn/cve/CVE-2016-8610

Comment 15 Huzaifa S. Sidhpurwala 2016-10-26 03:35:10 UTC
Created gnutls tracking bugs for this issue:

Affects: fedora-all [bug 1388728]

Comment 16 Huzaifa S. Sidhpurwala 2016-10-26 03:35:20 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1388727]

Comment 17 Huzaifa S. Sidhpurwala 2016-10-26 03:35:26 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1388725]

Comment 18 Huzaifa S. Sidhpurwala 2016-10-26 03:35:32 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1388726]

Comment 27 errata-xmlrpc 2017-02-20 10:56:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2017:0286 https://rhn.redhat.com/errata/RHSA-2017-0286.html

Comment 29 errata-xmlrpc 2017-03-21 09:04:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0574 https://rhn.redhat.com/errata/RHSA-2017-0574.html

Comment 30 Martin Prpič 2017-06-06 14:59:41 UTC
Acknowledgments:

Name: Shi Lei (Gear Team of Qihoo 360 Inc.)

Comment 31 errata-xmlrpc 2017-06-07 17:44:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415

Comment 32 errata-xmlrpc 2017-06-07 17:56:04 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414

Comment 33 errata-xmlrpc 2017-06-07 17:58:46 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413

Comment 35 errata-xmlrpc 2017-06-28 20:02:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659

Comment 36 errata-xmlrpc 2017-06-28 20:21:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658

Comment 37 errata-xmlrpc 2017-08-21 15:25:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2

Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494

Comment 38 errata-xmlrpc 2017-08-21 15:34:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493


Note You need to log in before you can comment on or make changes to this bug.