www.cendio.com
Bug 5540 - Upgrade OpenSSL to latest version
: Upgrade OpenSSL to latest version
Status: CLOSED FIXED
: ThinLinc
Build system
: trunk
: PC Unknown
: P2 Normal
: 4.6.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2015-05-19 16:48 by
Modified: 2016-04-14 14:57 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2015-05-19 16:48:25
We are using 1.0.1j, latest is 1.0.2a.
------- Comment #1 From cendio 2015-09-11 15:24:22 -------
Summary of CVEs from 1.0.1j to 1.0.2d:

DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
no-ssl3 configuration sets method to NULL (CVE-2014-3569)
ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
DH client certificates accepted without verification [Server] (CVE-2015-0205)
Certificate fingerprints can be modified (CVE-2014-8275)
Bignum squaring may produce incorrect results (CVE-2014-3570)
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
Multiblock corrupted pointer (CVE-2015-0290)
Segmentation fault in DTLSv1_listen (CVE-2015-0207)
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
Segmentation fault for invalid PSS parameters (CVE-2015-0208)
ASN.1 structure reuse memory corruption (CVE-2015-0287)
PKCS7 NULL pointer dereferences (CVE-2015-0289)
Base64 decode (CVE-2015-0292)
DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
Empty CKE with client auth and DHE (CVE-2015-1787)
Handshake with unseeded PRNG (CVE-2015-0285)
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
DHE man-in-the-middle protection (Logjam)
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Race condition handling NewSessionTicket (CVE-2015-1791)
Invalid free in DTLS (CVE-2014-8176)
Alternative chains certificate forgery (CVE-2015-1793)
------- Comment #2 From cendio 2015-09-11 15:41:49 -------
Risk analysis. OpenSSL is used in two places, OpenSSH and rdesktop.

(In reply to comment #1)
> DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)
> DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
> Invalid free in DTLS (CVE-2014-8176)
> Segmentation fault in DTLSv1_listen (CVE-2015-0207)

Safe. We do not use DTLS.

> no-ssl3 configuration sets method to NULL (CVE-2014-3569)

Safe. We do not use this flag.

> Certificate fingerprints can be modified (CVE-2014-8275)

Safe. We don't check fingerprints.

> Bignum squaring may produce incorrect results (CVE-2014-3570)

Low risk. No attacks known, but bug is suspicious enough that exploits might
turn up eventually.

> OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
> Multiblock corrupted pointer (CVE-2015-0290)

Safe. Feature introduced in 1.0.2 so we don't have the bug.

> ASN.1 structure reuse memory corruption (CVE-2015-0287)

Safe. Not a feature we use.

> Base64 decode (CVE-2015-0292)

Actually fixed in 1.0.1h, so we already have it.

> DH client certificates accepted without verification [Server] (CVE-2015-0205)
> DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
> Empty CKE with client auth and DHE (CVE-2015-1787)

Safe. Only affects servers.

> Handshake with unseeded PRNG (CVE-2015-0285)

Low risk, possibly safe. Requires fairly special conditions. Probably not
possible with an RDP server.

> Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)

Safe. Only affects untrusted private keys.

> X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

Safe. Esoteric function that we do not use.

> Malformed ECParameters causes infinite loop (CVE-2015-1788)

Safe. Apparently only affects client certificate usage, which we do not use.

> Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)

Safe. Apparently only affects CRL verification and client certificate usage,
neither of which we use.

> PKCS7 NULL pointer dereferences (CVE-2015-0289)
> PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)

Safe. We do not use PKCS7.

> CMS verify infinite loop with unknown hash function (CVE-2015-1792)

Safe. We do not use S/MIME.

> Race condition handling NewSessionTicket (CVE-2015-1791)

Safe. We do not use tickets.

> ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
> RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
> Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
> Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
> Segmentation fault for invalid PSS parameters (CVE-2015-0208)
> DHE man-in-the-middle protection (Logjam)
> Alternative chains certificate forgery (CVE-2015-1793)

Safe. We do not verify certificates so we do not protect ourselves against
man-in-the-middle attacks.
------- Comment #3 From cendio 2015-09-14 09:58:19 -------
Nothing critical at this time. Moving back to next for now.
------- Comment #4 From cendio 2015-12-03 17:12:20 -------
https://openssl.org/news/newslog.html:

> 03-Dec-2015 Security Advisory: four security fixes (https://openssl.org/news/secadv/20151203.txt)
> 03-Dec-2015 OpenSSL 1.0.2e is now available, including bug and security fixes
> 03-Dec-2015 OpenSSL 1.0.1q is now available, including bug and security fixes
> 03-Dec-2015 OpenSSL 1.0.0t is now available, including bug and security fixes
> 03-Dec-2015 OpenSSL 0.9.8zh is now available, including bug and security fixes

Also, from the advisory:

> NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
> 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
> PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
------- Comment #5 From cendio 2015-12-14 11:01:47 -------
The new CVEs:

> BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)

Safe. We don't have any private keys.

> Certificate verify crash with missing PSS parameter (CVE-2015-3194)

May be relevant for rdesktop. But we don't do much verification of the server,
so might not be.

> X509_ATTRIBUTE memory leak (CVE-2015-3195)

Safe. Doesn't affect TLS.

> Race condition handling PSK identify hint (CVE-2015-3196)

Safe. We don't use PSK.

> Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)

Safe. Regression in 1.0.2, which we don't use.
------- Comment #7 From cendio 2015-12-15 09:58:05 -------
All done. Tested that ssh and rdesktop worked fine.
------- Comment #8 From cendio 2015-12-16 17:07:02 -------
(In reply to comment #7)
> All done. Tested that ssh and rdesktop worked fine.

All of OpenSSH (both client and ssh-keyscan), rdesktop and OpenSC seems to work
fine. Build 4974.