From owner-freebsd-security@freebsd.org Fri Sep 23 08:06:07 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 359F4BE5E07 for ; Fri, 23 Sep 2016 08:06:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 284A7DAC; Fri, 23 Sep 2016 08:06:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 2522E14DE; Fri, 23 Sep 2016 08:06:07 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:26.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20160923080607.2522E14DE@freefall.freebsd.org> Date: Fri, 23 Sep 2016 08:06:07 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2016 08:06:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:26.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2016-09-23 Credits: OpenSSL Project Affects: All supported versions of FreeBSD. Corrected: 2016-09-22 14:57:48 UTC (stable/11, 11.0-STABLE) 2016-09-22 15:55:27 UTC (releng/11.0, 11.0-RELEASE) 2016-09-22 15:05:38 UTC (stable/10, 10.3-STABLE) 2016-09-23 07:48:34 UTC (releng/10.3, 10.3-RELEASE-p8) 2016-09-23 07:48:34 UTC (releng/10.2, 10.2-RELEASE-p21) 2016-09-23 07:48:34 UTC (releng/10.1, 10.1-RELEASE-p38) 2016-09-23 07:44:10 UTC (stable/9, 9.3-STABLE) 2016-09-23 07:48:34 UTC (releng/9.3, 9.3-RELEASE-p46) CVE Name: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. [CVE-2016-6304] An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. [CVE-2016-6303] If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. [CVE-2016-6302] The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. [CVE-2016-2182] The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. [CVE-2016-2180] Some calculations of limits in OpenSSL have used undefined pointer arithmetic. This could cause problems with some malloc implementations. [CVE-2016-2177] Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. [CVE-2016-2178] In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. [CVE-2016-2179] A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection "window" before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. [CVE-2016-2181] In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. [CVE-2016-6306] III. Impact A remote attacker can cause OpenSSL server, regardless whether OCSP is supported, to have unbounded memory growth, and eventually lead to a Denial of Service. [CVE-2016-6304] If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. [CVE-2016-6303] An attacker who can send a malformed ticket to the server can cause an OOB read which will ultimately lead to a crash, resulting in a Denial of Service. [CVE-2016-6302] A local attacker can cause an application that parses overly large certificate or CRL to crash. TLS is not affected. [CVE-2016-2182] A local attacker who can create a specially-crafted time stamp file and pass it through the "ts" command of openssl(1) can cause it to crash. This functionality is not used by the SSL/TLS implementation. [CVE-2016-2180] Some OpenSSL code is questionable to integer overflow, which may lead to heap corruption. [CVE-2016-2177] An attacker may recover the private DSA key by conducting timing attack. [CVE-2016-2178] A remote attacker may cause a DTLS server to exhaust memory, resulting in a Denial of Service. [CVE-2016-2179] A remote attacker who can send DTLS records can cause the server to drop all subsequent packets for a specific connection. [CVE-2016-2181] A remote attacker can, in theory, cause OOB reads if the server enabled client authentication. [CVE-2016-6306] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.3] # fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.3.patch # fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.3.patch.asc # gpg --verify openssl-10.3.patch.asc [FreeBSD 10.1 and 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.2.patch # fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-10.2.patch.as # gpg --verify openssl-10.2.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-9.3.patch # fetch https://security.FreeBSD.org/patches/SA-16:26/openssl-9.3.patch.as # gpg --verify openssl-9.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r306229 releng/9.3/ r206230 stable/10/ r306196 releng/10.1/ r206230 releng/10.2/ r206230 releng/10.3/ r206230 stable/11/ r306195 releng/11.0/ r306198 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.13 (FreeBSD) iQIcBAEBCgAGBQJX5N+CAAoJEO1n7NZdz2rnRZEP/2/fe1c3tLZZAPguwphI7NFK DoGODy5Uj/pMdMv2ZvSJaNFKX5bo4ph2mCtA3rxFhFX4PEDaRoZc4BIlN470qdDe soBV0mJEHC8r0z8cw6WYbh4wbd2yYy2x95LFi3g/04udctGQyxWmEzkzjzT8SqxU EMoZYZuYQTvr8paQGiUizLu61AFDM2sZhU8yW4euxxiIREbFTO8rC7DMAk3mKfNk Og1NN6uVK7+AgxZRJtfrKPftdwGPfKPQKgR731goAghQihThNNDvQ8OdDwj8Mlh1 KI8u+GaVKUTfgS2Ra9a291nEqV0EHZkY3zSpp4LeCY93gpFQeEhS5M/32oFheP4+ qNQZdvDzKVBKT1NTzgDbMN++56/h0FDa9NkIQbZI9TwkOTbLeGNMWtC46Ngza3tz avlSxxckCwelvmZcjntU3MakdWQhIgMRFvOzVDgfL+erUi3kot0+kgiXq+cn0UEa ZHOCJWIzAh/PJGPNOJl71Ji3qb6iUJx31HmVLxyoofbfKmNsg72/ROqUgBLCYO3s kW77yMNYEBAzdxeep8oNwMat9bZbxnhvAbr2v934SIndLQ5FtDJ/OdiCq3oXMbyE uLFTjqGaTur7z26bibT72l4OEy7Qkt5G1EqefxTGHpY0UQhjQQVFWjwbFYq9RT40 60v4DC15ArshCN6tuyWt =8wR6 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Fri Sep 23 14:02:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94C38BDC827 for ; Fri, 23 Sep 2016 14:02:35 +0000 (UTC) (envelope-from Klauder@nt.ag) Received: from mailrelay.ntag.de (mailrelay.ntag.de [81.209.134.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 216C3FD5 for ; Fri, 23 Sep 2016 14:02:34 +0000 (UTC) (envelope-from Klauder@nt.ag) Received: from mailhost.nt-web.de ([192.168.128.12]) by mailrelay.ntag.de (8.15.2/8.15.2) with ESMTP id u8NE2OC3078596 for ; Fri, 23 Sep 2016 16:02:24 +0200 (CEST) (envelope-from Klauder@nt.ag) X-Notes-Item: Memo; name=Form X-Notes-Item: CN=Sascha Klauder/O=NTAG; name=SentBy X-Notes-Item: ; name=AltFrom X-Notes-Item: ; name=AltSendTo X-Notes-Item: ; name=$LangFrom X-Notes-Item: ; name=$NameLanguageTags Subject: =?ISO-8859-1?Q?AUTO=3A_Sascha_Klauder_ist_au=DFer_Haus_=28R=FCckkehr_am?= =?ISO-8859-1?Q?_10=2F25=2F2016=29?= X-Notes-Item: ; name=$AutoForward X-Notes-Item: OOAgent; name=GeneratedBy X-Notes-Item: 1; name=$AssistMail Auto-Submitted: auto-generated From: Sascha Klauder To: freebsd-security@freebsd.org Message-ID: Date: Fri, 23 Sep 2016 16:02:24 +0200 X-Notes-Item: 0; name=Encrypt X-Notes-Item: ; name=HasSafeStamp X-Notes-Item: CN=DOMINO-NTAG/O=NTAG; type=501; flags=44; name=$UpdatedBy X-Notes-Item: Fri, 23 Sep 2016 16:02:24 +0200; type=400; name=$Revisions X-Notes-Item: nt.ag; name=FromDomain X-Notes-Item: 25; type=300; name=$Hops X-Notes-Item: 1; name=$NoteHasNativeMIME X-Notes-Item: CN=Sascha Klauder/O=NTAG; name=OriginalFrom X-MIMETrack: Serialize by Router on DOMINO-NTAG/NTAG(Release 8.5.3FP6|November 21, 2013) at 23.09.2016 16:02:24 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2016 14:02:35 -0000 Ich kehre zur=FCck am 10/25/2016. Sehr geehrte Damen und Herren, ich bin vom 26.08.2016 bis 25.10.2016 in Elternzeit und kann E-Mail nu= r unregelm=E4=DFig bearbeiten. Ihre Nachricht wird nicht weitergeleitet. = Bitte wenden Sie sich ggf. an support@nt.ag. Hinweis: Dies ist eine automatische Antwort auf Ihre Nachricht "FreeBS= D Security Advisory FreeBSD-SA-16:26.openssl" gesendet am 23.09.2016 10:0= 6:07 . Diese ist die einzige Benachrichtigung, die Sie empfangen werden, w=E4h= rend diese Person abwesend ist.= From owner-freebsd-security@freebsd.org Fri Sep 23 21:04:34 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C430DBE6CBD for ; Fri, 23 Sep 2016 21:04:34 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4785B940 for ; Fri, 23 Sep 2016 21:04:33 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id u8NL4ELc068011 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Sat, 24 Sep 2016 07:04:22 +1000 (AEST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id u8NL48kn007044 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 24 Sep 2016 07:04:08 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id u8NL46GR006392 for freebsd-security@freebsd.org; Sat, 24 Sep 2016 07:04:06 +1000 (AEST) (envelope-from peter) Date: Sat, 24 Sep 2016 07:04:06 +1000 From: Peter Jeremy To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:26.openssl Message-ID: <20160923210406.GD55582@server.rulingia.com> References: <20160923080607.2522E14DE@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline In-Reply-To: <20160923080607.2522E14DE@freefall.freebsd.org> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2016 21:04:34 -0000 --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2016-Sep-23 08:06:07 +0000, FreeBSD Security Advisories wrote: =2E.. >Branch/path Revision >------------------------------------------------------------------------- >releng/9.3/ r206230 >releng/10.1/ r206230 >releng/10.2/ r206230 >releng/10.3/ r206230 These revision numbers are 100000 too low (the elided ones were correct). --=20 Peter Jeremy --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJX5ZjFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0N9MP/iU5N+2ERWt+c1Wn7ldxPwVA 7sn/lx8fkZGtQyzXXbiy8j7NAGewpn/y6qRxUevsEZRkms7G+3gehTa1EvI4L+ew hsVhx/AkMc9CxiqMKgWcgRdHhaPm/JB7H9dLfuH+4ELcoAEPdCLCNsAuo11rH7nb k2UZSxeyQFOGNmZ+BL3o0nqBRGTC/9h+cFhhxIqRWdKjtuWtDmd6C5+ae9zsBKHO 6FokDEmRwqnWw+pVzyZ1FjI6TNWYr5vxuGD4MNtZTzgc6H9MREK9vdtkbxa+9KPR Ce9poiqSHe8B5v4IsFnNCZ3o1TroAkRLn7IvRErnQfaBLfKD6vyvjQIegd9YV8yX Iiw8kLGhOoOSByxRbOSiNMMAsZ56D+ztxYRt4QGDKOqB19IASdGqfJWAyzHRNtR6 +Bg2lNEU6W3j8XR+SbE01TP7i+QsSDfLBbxMG6xTRiJ6NyfIb+Q7TE1Q6VsHL75+ Z/wYLCNvQwSDtZugL07HhfC31+Y4Nr7S4VUmI9mEEWItNmXJ3sEsd/M5FEA5gkC3 fd89FJMs8i25Ir5tLNVougbOAkXBLTVTz/3hIVCoAJZ247Rab4SqMjkpBRysTKx+ L66ezaONLhi+D97chXvkcMAHlEphgrvEwKNjE3Az7fAyxhSgO/sI2SgVpoXdMS06 CHUwnFhLlBqqbUwO6J6I =8dl6 -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ--