Ubuntu
openssl package

OpenSSL DTLS Vulnerability

Bug #922229 reported by Brian Knoll on 2012-01-26

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	Fix Released	High	Steve Beattie

Bug Description

The following URL is for a DTLS vulnerability in OpenSSL 0.9.8s and earlier which appears to be unpatched in Ubuntu. This vulnerability permits a man-in-the-middle attack on UDP-based TLS implementations, such as OpenVPN and leads to disclosure of encrypted material:

http://security-tracker.debian.org/tracker/CVE-2012-0050

I apologize for the Debian link, I was not sure what else to provide.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: openssl 0.9.8k-7ubuntu8.6
ProcVersionSignature: Ubuntu 2.6.32-38.83-server 2.6.32.52+drm33.21
Uname: Linux 2.6.32-38-server x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Thu Jan 26 12:52:22 2012
InstallationMedia: Ubuntu 10.04.3 LTS "Lucid Lynx" - Release amd64 (20110719.2)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: openssl

Tags:

Related branches

lp:ubuntu/hardy-security/openssl

CVE References

Revision history for this message

Brian Knoll (brianknoll) wrote on 2012-01-26:

#1

Dependencies.txt Edit (559 bytes, text/plain; charset="utf-8")

Revision history for this message

Brian Knoll (brianknoll) wrote on 2012-01-26:

#2

I want to mention that CVE 2012-0050 is a fix for CVE 2011-4108, which also fixed some DTLS vulnerabilities. I am unclear whether CVE 2011-4108 was ever fixed in Ubuntu, in particular in Lucid. I do not think that it was.

I think the best thing to do at this point would be to review CVE 2011-4108, but understand that it has some defects which resulted in CVE 2012-0050. Whoever performs the fix should review both of these bugs.

Revision history for this message

Brian Knoll (brianknoll) wrote on 2012-01-27:

#3

Upstream Debian used DSA 2392-1 to identify this bug on their side.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2012-01-27:

#4

Thanks, we're aware of both the original issue and the followup DoS. Updates are in progress.

Changed in openssl (Ubuntu):
status:	New → In Progress
assignee:	nobody → Steve Beattie (sbeattie)
importance:	Undecided → High

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-02-09:

#5

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.15

---------------
openssl (0.9.8g-4ubuntu3.15) hardy-security; urgency=low

  * SECURITY UPDATE: ECDSA private key timing attack
    - crypto/ecdsa/ecs_ossl.c: compute with fixed scalar length
    - http://cvs.openssl.org/chngview?cn=20892
    - CVE-2011-1945
  * SECURITY UPDATE: ECDH ciphersuite denial of service
    - ssl/s3_lib.c, file ssl/s3_srvr.c: fix memory usage for thread
      safety
    - http://cvs.openssl.org/chngview?cn=21334
    - CVE-2011-3210
  * SECURITY UPDATE: DTLS plaintext recovery attack (LP: #922229)
    - ssl/d1_pkt.c: perform all computations before discarding messages
    - http://cvs.openssl.org/chngview?cn=21942
    - http://cvs.openssl.org/chngview?cn=19574
    - CVE-2011-4108
  * SECURITY UPDATE: policy check double free vulnerability
    - crypto/x509v3/pcy_map.c, crypto/x509v3/pcy_tree.c: only free
      domain policy in one location
    - http://cvs.openssl.org/chngview?cn=21941
    - CVE-2011-4019
  * SECURITY UPDATE: incorrect elliptic curve computation TLS key
    exposure
    - crypto/bn/bn_nist.c: perform ellyiptic curve computations
      correctly
    - update to http://cvs.openssl.org/fileview?f=openssl/crypto/bn/bn_nist.c&v=1.20
    - CVE-2011-4354
  * SECURITY UPDATE: SSL 3.0 block padding exposure
    - ssl/s3_enc.c: clear bytes used for block padding of SSL 3.0
      records.
    - http://cvs.openssl.org/chngview?cn=21940
    - CVE-2011-4576
  * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
    - crypto/x509v3/v3_addr.c: prevent malformed RFC3779 data
      from triggering an assertion failure
    - http://cvs.openssl.org/chngview?cn=21937
    - CVE-2011-4577
  * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
    - ssl/s3_srvr.c, ssl/ssl.h, ssl/ssl3.h, ssl/ssl_err.c: Only allow
      one SGC handshake restart for SSL/TLS.
    - CVE-2011-4619
  * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
    - ssl/d1_pkt.c: improve handling of DTLS MAC
    - http://cvs.openssl.org/chngview?cn=22032
    - CVE-2012-0050
  * crypto/ecdsa/ecdsatest.c: fix ECDSA tests
    - http://cvs.openssl.org/chngview?cn=21777
    - http://cvs.openssl.org/chngview?cn=21995
  * debian/libssl0.9.8.postinst: Only issue the reboot notification for
    servers by testing that the X server is not running (LP: #244250)
-- Steve Beattie <email address hidden> Tue, 31 Jan 2012 01:46:26 -0800

This bug was fixed in the package openssl - 0.9.8g-4ubuntu3.15

---------------
openssl (0.9.8g-4ubuntu3.15) hardy-security; urgency=low

* SECURITY UPDATE: ECDSA private key timing attack
    - crypto/ecdsa/ecs_ossl.c: compute with fixed scalar length
    - http://cvs.openssl.org/chngview?cn=20892
    - CVE-2011-1945
  * SECURITY UPDATE: ECDH ciphersuite denial of service
    - ssl/s3_lib.c, file ssl/s3_srvr.c: fix memory usage for thread
      safety
    - http://cvs.openssl.org/chngview?cn=21334
    - CVE-2011-3210
  * SECURITY UPDATE: DTLS plaintext recovery attack (LP: #922229)
    - ssl/d1_pkt.c: perform all computations before discarding messages
    - http://cvs.openssl.org/chngview?cn=21942
    - http://cvs.openssl.org/chngview?cn=19574
    - CVE-2011-4108
  * SECURITY UPDATE: policy check double free vulnerability
    - crypto/x509v3/pcy_map.c, crypto/x509v3/pcy_tree.c: only free
      domain policy in one location
    - http://cvs.openssl.org/chngview?cn=21941
    - CVE-2011-4019
  * SECURITY UPDATE: incorrect elliptic curve computation TLS key
    exposure
    - crypto/bn/bn_nist.c: perform ellyiptic curve computations
      correctly
    - update to http://cvs.openssl.org/fileview?f=openssl/crypto/bn/bn_nist.c&v=1.20
    - CVE-2011-4354
  * SECURITY UPDATE: SSL 3.0 block padding exposure
    - ssl/s3_enc.c: clear bytes used for block padding of SSL 3.0
      records.
    - http://cvs.openssl.org/chngview?cn=21940
    - CVE-2011-4576
  * SECURITY UPDATE: malformed RFC 3779 data denial of service attack
    - crypto/x509v3/v3_addr.c: prevent malformed RFC3779 data
      from triggering an assertion failure
    - http://cvs.openssl.org/chngview?cn=21937
    - CVE-2011-4577
  * SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
    - ssl/s3_srvr.c, ssl/ssl.h, ssl/ssl3.h, ssl/ssl_err.c: Only allow
      one SGC handshake restart for SSL/TLS.
    - CVE-2011-4619
  * SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
    - ssl/d1_pkt.c: improve handling of DTLS MAC
    - http://cvs.openssl.org/chngview?cn=22032
    - CVE-2012-0050
  * crypto/ecdsa/ecdsatest.c: fix ECDSA tests
    - http://cvs.openssl.org/chngview?cn=21777
    - http://cvs.openssl.org/chngview?cn=21995
  * debian/libssl0.9.8.postinst: Only issue the reboot notification for
    servers by testing that the X server is not running (LP: #244250)
 -- Steve Beattie <sbeattie@ubuntu.com>   Tue, 31 Jan 2012 01:46:26 -0800

Changed in openssl (Ubuntu):
status:	In Progress → Fix Released

Steve Beattie (sbeattie) on 2012-03-30

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Dependencies.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.