[CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated contexts"

Bug #1370478 reported by Thomas Ward on 2014-09-17
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Unassigned

Bug Description

A security vulnerability was found in the nginx package. All versions in Lucid, Precise, Trusty, and Utopic are affected.

------

This is the email that went out in the nginx security advisories list regarding this vulnerability:

Hello!

A problem with SSL session cache in nginx was identified by Antoine
Delignat-Lavaud. It was possible to reuse cached SSL sessions in
unrelated contexts, allowing virtual host confusion attacks in some
configurations by an attacker in a privileged network position
(CVE-2014-3616).

The problem affects nginx 0.5.6 - 1.7.4 if the same shared
ssl_session_cache and/or ssl_session_ticket_key are used for multiple
server{} blocks.

The problem is fixed in nginx 1.7.5, 1.6.2.

Further details can be found in the paper by Antoine Delignat-Lavaud
et al., available at http://bh.ht.vc/vhost_confusion.pdf.

------

This is CVE-2014-3616.

------

This has been fixed upstream in nginx. This has also been fixed in Debian.

------

The Debian bug for this is: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761940

Thomas Ward (teward) on 2014-09-17
description: updated
summary: - [CVE-2014-3616] "reuse cached SSL sessions in unrelated contexts"
+ [CVE-2014-3616] "possible to reuse cached SSL sessions in unrelated
+ contexts"
Thomas Ward (teward) on 2014-09-17
Changed in nginx (Ubuntu):
status: New → Confirmed
Changed in nginx (Ubuntu Trusty):
status: New → Confirmed
Changed in nginx (Ubuntu Lucid):
status: New → Won't Fix
Changed in nginx (Ubuntu Precise):
status: New → Confirmed
Changed in nginx (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nginx (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.6-1ubuntu3.1

---------------
nginx (1.4.6-1ubuntu3.1) trusty-security; urgency=medium

  * SECURITY UPDATE: incorrect cached SSL session reuse (LP: #1370478)
    - debian/patches/CVE-2014-3616.patch: include hash of certificate in
      session id context in src/event/ngx_event_openssl.c.
    - CVE-2014-3616
 -- Marc Deslauriers <email address hidden> Wed, 17 Sep 2014 08:56:46 -0400

Changed in nginx (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in nginx (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.1.19-1ubuntu0.7

---------------
nginx (1.1.19-1ubuntu0.7) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect cached SSL session reuse (LP: #1370478)
    - debian/patches/CVE-2014-3616.patch: Use a random value for session id
      context, since there is no support for shared TLS Session Tickets in
      this version in src/event/ngx_event_openssl.c.
    - CVE-2014-3616
 -- Lev Lazinskiy <email address hidden> Fri, 05 Dec 2014 22:25:50 -0500

Changed in nginx (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.