Results 1 to 2 of 2

Thread: OpenSSL vulnerability

  1. #1
    Junior Member
    Join Date
    May 2002

    Post OpenSSL vulnerability

    This is quoted from http://www.openssl.org/news/secadv_20020730.txt

    OpenSSL Security Advisory [30 July 2002]

    This advisory consists of two independent advisories, merged, and is
    an official OpenSSL advisory.

    Advisory 1

    A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are
    conducting a security review of OpenSSL, under the DARPA program


    All four of these are potentially remotely exploitable.

    1. The client master key in SSL2 could be oversized and overrun a
    buffer. This vulnerability was also independently discovered by
    consultants at Neohapsis (http://www.neohapsis.com/) who have also
    demonstrated that the vulerability is exploitable. Exploit code is
    NOT available at this time.

    2. The session ID supplied to a client in SSL3 could be oversized and
    overrun a buffer.

    3. The master key supplied to an SSL3 server could be oversized and
    overrun a stack-based buffer. This issues only affects OpenSSL
    0.9.7 before 0.9.7-beta3 with Kerberos enabled.

    4. Various buffers for ASCII representations of integers were too
    small on 64 bit platforms.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue
    3, and CAN-2002-0655 to issue 4.

    In addition various potential buffer overflows not known to be
    exploitable have had assertions added to defend against them.

    Who is affected?

    Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
    current development snapshots of 0.9.7 to provide SSL or TLS is
    vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
    with SSL 2.0 disabled are not vulnerable.

    SSLeay is probably also affected.


    Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL
    0.9.6e. Recompile all applications using OpenSSL to provide SSL or

    A patch for 0.9.7 is available from the OpenSSL website

    Servers can disable SSL2, alternatively disable all applications using
    SSL or TLS until the patches are applied. Users of 0.9.7 pre-release
    versions with Kerberos enabled will also have to disable Kerberos.

    Client should be disabled altogether until the patches are applied.

    Known Exploits

    There are no know exploits available for these vulnerabilities. As
    noted above, Neohapsis have demonstrated internally that an exploit is
    possible, but have not released the exploit code.




    The project leading to this advisory is sponsored by the Defense
    Advanced Research Projects Agency (DARPA) and Air Force Research
    Laboratory, Air Force Materiel Command, USAF, under agreement number

    The patch and advisory were prepared by Ben Laurie.

    Advisory 2


    The ASN1 parser can be confused by supplying it with certain invalid

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2002-0659 to this issue.

    Who is affected?

    Any OpenSSL program which uses the ASN1 library to parse untrusted
    data. This includes all SSL or TLS applications, those using S/MIME
    (PKCS#7) or certificate generation routines.


    Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile
    all applications using OpenSSL.

    Users of 0.9.7 pre-release versions should apply the patch or upgrade
    to 0.9.7-beta3 or later. Recompile all applications using OpenSSL.


    There are no known exploits for this vulnerability.




    This vulnerability was discovered by Adi Stav <stav@mercury.co.il>
    and James Yonan <jim@ntlp.com> independently. The patch is partly
    based on a version by Adi Stav.

    The patch and advisory were prepared by Dr. Stephen Henson.

    Combined patches for OpenSSL 0.9.6d:

    Combined patches for OpenSSL 0.9.7 beta 2:

    URL for this Security Advisory:

  2. #2
    Junior Member
    Join Date
    Jul 2002

    \"Imagination is more important than knowledge\" (A. Einstein)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts