[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-tech-security
Subject: Updated: NetBSD Security Advisory 2010-002: OpenSSL TLS
From: NetBSD Security Officer <security-officer () NetBSD ! org>
Date: 2010-02-02 19:04:48
Message-ID: 20100202190448.GA21208 () NetBSD ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2010-002
=================================
Topic: OpenSSL TLS renegotiation man in the middle vulnerability
Version: NetBSD-current: affected prior to 2009-12-04
NetBSD 5.0: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
pkgsrc: openssl package prior to 0.9.8l
Severity: Information disclosure
Fixed: NetBSD-current: Dec 03, 2009
NetBSD-5-0 branch: Jan 12, 2010
NetBSD-5 branch: Jan 12, 2010
NetBSD-4-0 branch: Jan 12, 2010
NetBSD-4 branch: Jan 12, 2010
pkgsrc 2009Q4: openssl-0.9.8l corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
An error in the OpenSSL TLS session renegotiation allows a remote
attacker to intercept communication and conduct a Man-in-the-Middle
attack on TLS sessions.
This vulnerability has been assigned CVE-2009-3555 and CERT
Vulnerability Note VU#120541.
Technical Details
=================
A design problem exists in the renegotiation feature for TLS sessions as
implemented by the version of OpenSSL shipped with NetBSD. As session
renegotiation handshakes are not properly associated with an existing
connection, an unauthenticated attacker can initiate a renegotiation in
order to allow a man-in-the-middle attack, which may allow the attacker
to inject plaintext into the communication.
Solutions and Workarounds
=========================
The solution to this problem is to disable TLS session renegotiation for
now by applying the provided patches or updating NetBSD to a version
including the fix.
The following instructions describe how to upgrade your OpenSSL
binaries by updating your source tree and rebuilding and installing
a new version of OpenSSL.
* NetBSD-current:
Systems running NetBSD-current dated from before 2009-12-04
should be upgraded to NetBSD-current dated 2009-12-04 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/external/bsd/openssl/dist/ssl/s3_lib.c
crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -d -P crypto/external/bsd/openssl/dist/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../crypto/external/bsd/openssl/lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 5.*:
Systems running NetBSD 5.* sources dated from before
2010-01-12 09:30 UTC should be upgraded from NetBSD 5.* sources
dated 2010-01-12 09:30 UTC or later.
The following files/directories need to be updated from the
netbsd-5 or netbsd-5-0 branches:
crypto/dist/openssl/ssl/s3_lib.c
crypto/dist/openssl/ssl/s3_pkt.c
crypto/dist/openssl/ssl/s3_srvr.c
crypto/dist/openssl/ssl/ssl_locl.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2010-01-12 09:30 UTC should be upgraded from NetBSD 4.* sources
dated 2010-01-12 09:30 UTC or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
crypto/dist/openssl/ssl/s3_lib.c
crypto/dist/openssl/ssl/s3_pkt.c
crypto/dist/openssl/ssl/s3_srvr.c
crypto/dist/openssl/ssl/ssl_locl.h
To update from CVS, re-build, and re-install OpenSSL:
# cd src
# cvs update -r <branch_name> -d -P crypto/dist/openssl/ssl
# cd lib/libcrypt
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Marsh Ray, PhoneFactor and Martin Rex for discovering and reporting the issue,
and Christos Zoulas for fixing it.
Revision History
================
2010-01-12 Initial release
2010-01-15 Fixed build instructions
2010-01-23 Fixed build instructions for HEAD again
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2010-002.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2010, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2010-002.txt,v 1.4 2010/01/23 14:43:50 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)
iQIcBAEBAgAGBQJLWw3iAAoJEAZJc6xMSnBuCeMP/RrlI7CXqffUkYmMvzeae9Nw
PxGIuh+mUOQNqZFH9Nk3jGbnu/XbSLI+zzEXfpQq9yhIQoX4CWLthezfzH/DG/nj
GndTlk3rzw90FXqKVgefZaO+rAAgiliNyld9/eCRldop3jy+18vfyToFtAO7gSNi
UTcL/2WDLSK8+TLjBiGHTftDolKNKRfIu0Eo5V5AP0UrkpZ7EyV6GQPLRy4896Ub
ThIXM5xgFDv4PzCwIpkfLVZdgrHVwN6nzRnC8eoGLPkV4zFbOT5CZ/wXg7GbQChA
4PCFgc0FC4m2jdNuqUMXLa3THlPlWrXE+uXBKjnO1JKyitAgrn5bEPDY/BVr9L5n
5IJdanNZmQQljtCx3G4MsP8ozqFXTP20f4XiaEnJg3uJ76RzLK58Bt+G41lEXDuf
5ZBFkpSqiv9oPoz/AYZU4qOcSoQLW5BAV4nW4lDRUEYUBILPFhyt2HXnxoBfJpjk
VBeqMKRx90jC/vkRuv7QA9sIeMCJjwvaA1DwhAw9P+gLpSPxjp/inOE0P/1wFhq3
JIMjRZnBihCwQVH+Jn3gJ5u9zYheFrRUZarxvsyUHEyeObmP5Up0TaUGG1SU4yoE
iLLh32CxTAhXcwDcbMvx06jgS0K93eJk44fUoVmZ4LlxVC0bVWsfbiw3fSWdBhEP
xgD+Oxw9QYi9pci5dDcO
=gbh2
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic