OpenSSL DTLS Vulnerability

Bug #922229 reported by Brian Knoll on 2012-01-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
High
Steve Beattie

Bug Description

The following URL is for a DTLS vulnerability in OpenSSL 0.9.8s and earlier which appears to be unpatched in Ubuntu. This vulnerability permits a man-in-the-middle attack on UDP-based TLS implementations, such as OpenVPN and leads to disclosure of encrypted material:

http://security-tracker.debian.org/tracker/CVE-2012-0050

I apologize for the Debian link, I was not sure what else to provide.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openssl 0.9.8k-7ubuntu8.6
ProcVersionSignature: Ubuntu 2.6.32-38.83-server 2.6.32.52+drm33.21
Uname: Linux 2.6.32-38-server x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Thu Jan 26 12:52:22 2012
InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release amd64 (20110719.2)
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: openssl

Brian Knoll (brianknoll) wrote :
Brian Knoll (brianknoll) wrote :

I want to mention that CVE 2012-0050 is a fix for CVE 2011-4108, which also fixed some DTLS vulnerabilities. I am unclear whether CVE 2011-4108 was ever fixed in Ubuntu, in particular in Lucid. I do not think that it was.

I think the best thing to do at this point would be to review CVE 2011-4108, but understand that it has some defects which resulted in CVE 2012-0050. Whoever performs the fix should review both of these bugs.

Brian Knoll (brianknoll) wrote :

Upstream Debian used DSA 2392-1 to identify this bug on their side.

Steve Beattie (sbeattie) wrote :

Thanks, we're aware of both the original issue and the followup DoS. Updates are in progress.

Changed in openssl (Ubuntu):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.15

---------------
openssl (0.9.8g-4ubuntu3.15) hardy-security; urgency=low

  * SECURITY UPDATE: ECDSA private key timing attack
    - crypto/ecdsa/ecs_ossl.c: compute with fixed scalar length
    - http://cvs.openssl.org/chngview?cn=20892
    - CVE-2011-1945
  * SECURITY UPDATE: ECDH ciphersuite denial of service
    - ssl/s3_lib.c, file ssl/s3_srvr.c: fix memory usage for thread
      safety
    - http://cvs.openssl.org/chngview?cn=21334
    - CVE-2011-3210
  * SECURITY UPDATE: DTLS plaintext recovery attack (LP: #922229)
    - ssl/d1_pkt.c: perform all computations before discarding messages
    - http://cvs.openssl.org/chngview?cn=21942
    - http://cvs.openssl.org/chngview?cn=19574
    - CVE-2011-4108
  * SECURITY UPDATE: policy check double free vulnerability
    - crypto/x509v3/pcy_map.c, crypto/x509v3/pcy_tree.c: only free
      domain policy in one location
    - http://cvs.openssl.org/chngview?cn=21941
    - CVE-2011-4019
  * SECURITY UPDATE: incorrect elliptic curve computation TLS key
    exposure
    - crypto/bn/bn_nist.c: perform ellyiptic curve computations
      correctly
    - update to http://cvs.openssl.org/fileview?f=openssl/crypto/bn/bn_nist.c&v=1.20
    - CVE-2011-4354
  * SECURITY UPDATE: SSL 3.0 block padding exposure
    - ssl/s3_enc.c: clear bytes used for block padding of SSL 3.0
      records.
    - http://cvs.openssl.org/chngview?cn=21940
    - CVE-2011-4576
  * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
    - crypto/x509v3/v3_addr.c: prevent malformed RFC3779 data
      from triggering an assertion failure
    - http://cvs.openssl.org/chngview?cn=21937
    - CVE-2011-4577
  * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
    - ssl/s3_srvr.c, ssl/ssl.h, ssl/ssl3.h, ssl/ssl_err.c: Only allow
      one SGC handshake restart for SSL/TLS.
    - CVE-2011-4619
  * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
    - ssl/d1_pkt.c: improve handling of DTLS MAC
    - http://cvs.openssl.org/chngview?cn=22032
    - CVE-2012-0050
  * crypto/ecdsa/ecdsatest.c: fix ECDSA tests
    - http://cvs.openssl.org/chngview?cn=21777
    - http://cvs.openssl.org/chngview?cn=21995
  * debian/libssl0.9.8.postinst: Only issue the reboot notification for
    servers by testing that the X server is not running (LP: #244250)
 -- Steve Beattie <email address hidden> Tue, 31 Jan 2012 01:46:26 -0800

Changed in openssl (Ubuntu):
status: In Progress → Fix Released
Steve Beattie (sbeattie) on 2012-03-30
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers