Multiple OpenSSL vulnerabilities

2012-08-0109:25:58

CentOS Project

aix.software.ibm.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.143 Low

EPSS

Percentile

95.6%

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed Aug 1 09:25:58 CDT 2012

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc

                       VULNERABILITY SUMMARY

VULNERABILITY: Multiple OpenSSL vulnerabilities

PLATFORMS: AIX 5.3, 6.1, 7.1, and earlier releases
VIOS 2.X

SOLUTION: Apply the fix as described below.

THREAT: See below

CVE Numbers: CVE-2012-0884
CVE-2012-1165
CVE-2012-2110
CVE-2012-2131
CVE-2012-2333

                       DETAILED INFORMATION

I. DESCRIPTION ( From cve.mitre.org)

CVE-2012-0884
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 
in OpenSSL does not properly restrict certain oracle behavior, which 
makes it easier for context-dependent attackers to decrypt data via 
a Million Message Attack (MMA) adaptive chosen ciphertext attack. 

CVE-2012-1165
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL allows 
remote attackers to cause a denial of service (NULL pointer dereference 
and application crash) via a crafted S/MIME message, a different 
vulnerability than CVE-2006-7250. 

CVE-2012-2110
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL  does 
not properly interpret integer data, which allows remote attackers to 
conduct buffer overflow attacks, and cause a denial of service 
(memory corruption) or possibly have unspecified other impact, via 
crafted DER data, as demonstrated by an X.509 certificate or an RSA 
public key. 

CVE-2012-2131
Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 
allow remote attackers to conduct buffer overflow attacks, and cause a 
denial of service (memory corruption) or possibly have unspecified other 
impact, via crafted DER data, as demonstrated by an X.509 certificate or 
an RSA public key. NOTE: this vulnerability exists because of an 
incomplete fix for CVE-2012-2110. 

 CVE-2012-2333
 Integer underflow in OpenSSL  when TLS 1.1, TLS 1.2, or DTLS is used 
 with CBC encryption, allows remote attackers to cause a denial of 
 service (buffer over-read) or possibly have unspecified other impact 
 via a crafted TLS packet that is not properly handled during a certain 
 explicit IV calculation. 


Please see the following for more information:

https://vulners.com/cve/CVE-2012-0884
https://vulners.com/cve/CVE-2012-1165
https://vulners.com/cve/CVE-2012-2110
https://vulners.com/cve/CVE-2012-2131
https://vulners.com/cve/CVE-2012-2333

II. PLATFORM VULNERABILITY ASSESSMENT

To determine if your system is vulnerable, execute the following
command:

lslpp -L openssl.base

On VIO Server:

oem_setup_env
lslpp -L openssl.base

The following fileset levels are vulnerable:

AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1801
AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1801
VIOS 2.X: all versions less than or equal 0.9.8.1801

IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
OpenSSH 5.0 or later, depending on the OpenSSL version according to
following compatibility matrix:

AIX              OpenSSL                    OpenSSH
------------------------------------------------------------------
5.3,6.1,7.1      OpenSSL 0.9.8.18xx         OpenSSH 5.8.0.61xx
5.3,6.1,7.1      OpenSSL-fips 12.9.8.18xx   OpenSSH 5.8.0.61xx

VIOS             OpenSSL                    OpenSSH
------------------------------------------------------------------
2.X              OpenSSL 0.9.8.18xx          OpenSSH 5.8.0.61xx

AIX OpenSSH can be downloaded from:

OpenSSH 5.0:
http://sourceforge.net/projects/openssh-aix
OpenSSH 5.8.0.61xx
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

III. FIXES

A fix is available, and it can be downloaded from:

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

To extract the fixes from the tar file:

zcat openssl-0.9.8.1802.tar.Z | tar xvf -
or
zcat openssl-fips-12.9.8.1802.tar.Z | tar xvf -

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created.  Verify it is both bootable and
readable before proceeding.

To preview the fix installation:

installp -apYd . openssl

To install the fix package:

installp -aXYd . openssl

IV. WORKAROUNDS

There are no workarounds.

V. CONTACT INFORMATION

If you would like to receive AIX Security Advisories via email,
please visit:

    http://www.ibm.com/systems/support

and click on the "My notifications" link.

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:

    A. Send an email with "get key" in the subject line to:

        [email protected]

    B. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

    C. Download the key from a PGP Public Key Server. The key ID is:

    0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

eServer is a trademark of International Business Machines
Corporation.  IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation.  All other trademarks
are property of their respective holders.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFQGUgw4fmd+Ci/qhIRAntWAJ91cc2j3KRo7dyf2pJvO5PQQWnFhgCglCr7
BZQ4mgB+gDWQiy3UZujbZH4=
=3+Iy
-----END PGP SIGNATURE-----