Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

TLS/SSL revisited slightly...

From: Paul Robertson <proberts () patriot net>
Date: Tue, 30 Jul 2002 11:47:53 -0400 (EDT)
Rather than reposting the Openssl-announce alert, I'll just 
excerpt and summarize briefly- several remotely exploitable bugs have been 
discovered in OpenSSL:
 

All four of these are potentially remotely exploitable.

1. The client master key in SSL2 could be oversized and overrun a
   buffer. This vulnerability was also independently discovered by
   consultants at Neohapsis (http://www.neohapsis.com/) who have also
   demonstrated that the vulerability is exploitable. Exploit code is
   NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
   overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
   overrun a stack-based buffer. This issues only affects OpenSSL
   0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
   small on 64 bit platforms.

 
Obviously, TLS systems are potentially more at risk than HTTPS since TLS 
acts like a client (bugs #1 and #2 for sure, #3 if Kerberos support is on.)
 
I expect that #4 will probably cause more issues with Apache on Solaris 
than anything else assuming that it isn't a client-side only issue as 
well.  Once again, this underscores the point that adding large ammounts 
of code (and additional protocols) can increase exposure to exploitable 
bugs.  

Patches are available on www.openssl.org.
 
I sense a lot of browser updating in my immediate future...

Thanks,
 
Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: