Firewall Wizards mailing list archives
TLS/SSL revisited slightly...
From: Paul Robertson <proberts () patriot net>
Date: Tue, 30 Jul 2002 11:47:53 -0400 (EDT)
Rather than reposting the Openssl-announce alert, I'll just excerpt and summarize briefly- several remotely exploitable bugs have been discovered in OpenSSL:
All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms.
Obviously, TLS systems are potentially more at risk than HTTPS since TLS acts like a client (bugs #1 and #2 for sure, #3 if Kerberos support is on.) I expect that #4 will probably cause more issues with Apache on Solaris than anything else assuming that it isn't a client-side only issue as well. Once again, this underscores the point that adding large ammounts of code (and additional protocols) can increase exposure to exploitable bugs. Patches are available on www.openssl.org. I sense a lot of browser updating in my immediate future... Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TLS/SSL revisited slightly... Paul Robertson (Jul 30)
- Re: TLS/SSL revisited slightly... Eric Rescorla (Jul 30)
- Re: TLS/SSL revisited slightly... Paul Robertson (Jul 30)
- Re: TLS/SSL revisited slightly... Eric Rescorla (Jul 30)