Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
assessing impact of December 2015 OpenSSL vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
c00l.wave
Apprentice
Apprentice


Joined: 24 Aug 2003
Posts: 245

PostPosted: Fri Dec 04, 2015 9:34 am    Post subject: assessing impact of December 2015 OpenSSL vulnerabilities Reply with quote

Yesterday, OpenSSL released updates to some vulnerabilities which are rated "moderate" (currently used levels are: critical, high, moderate, low).

https://www.openssl.org/news/secadv/20151203.txt

As I'm not very deep into encryption/SSL, can anyone shed some light on what type of applications/use cases should be expected to be vulnerable? I read the security advisory multiple times but I'm still not sure which of our systems are immediately affected and should be updated with priority (I know that all should be updated mid-term but I can only update a handful of servers in short term).

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)

SA reads like this weakens encryption but is hard to attack (read: governmental institutions, so what - I guess they are holding back plenty more weaknesses to attack OpenSSL).

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
The signature verification routines [...] if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms [...]. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.

So, is it only applications that authenticate via certificates or is it any application which verifies certificate chains?! What is with applications which are generally capable of doing so but aren't supposed to do it (like Apache with no VHosts configs explicitely enabling client certificates, can it still be exploited)? What about mail servers (by default verifying certificate chains, plus we have some servers which identify clients by certificates)?

X509_ATTRIBUTE memory leak (CVE-2015-3195)
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected.

So it only affects CLI or tools which use OpenSSL API for things other than just establishing connections via SSL/TLS? How can I be sure a client/server application is unaffected (e.g. what about OpenVPN, tinc, ...)?
_________________
nohup nice -n -20 cp /dev/urandom /dev/null &
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum