From security@sco.com Fri Oct 3 05:04:23 2003 From: security@sco.com To: announce@lists.sco.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Thu, 2 Oct 2003 14:45:48 -0700 Reply-To: please_reply_to_security@sco.com Subject: [Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities To: announce@lists.sco.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities Advisory number: CSSA-2003-SCO.25 Issue date: 2003 October 01 Cross reference: ______________________________________________________________________________ 1. Problem Description OpenSSL is a commercial-grade, full-featured, open source toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Multiple vulnerabilities have been found that could result in denial of service. NISCC (www.niscc.gov.uk) prepared a test suite to check the operation of SSL/TLS software when presented with a wide range of malformed client certificates. Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team identified and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code when running the test suite. A bug in OpenSSLs SSL/TLS protocol was also identified which causes OpenSSL to parse a client certificate from an SSL/TLS client when it should reject it as a protocol error. For the full OpenSSL advisory please see: http://www.openssl.org/news/secadv_20030930.txt The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0545 and CAN-2003-0543 and CAN-2003-0544 to these issues. CERT has assigned the names VU#935264, VU#255484 and VU#255484 to these issues. CERT VU#935264 / CAN-2003-0545: Double-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. CERT VU#255484 / CAN-2003-0543: Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. CERT VU#255484 / CAN-2003-0544: OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.3, Open UNIX 8.0.0, UnixWare 7.1.1 /usr/lib/libcrypto.a /usr/lib/libcrypto.so.0.9.7 /usr/lib/libssl.a /usr/lib/libssl.so.0.9.7 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.3 / Open UNIX 8.0.0 / UnixWare 7.1.1 4.1 The OpenSsl package must be installed. It is located at ftp://ftp.sco.com/pub/unixware7/713/uw713up/openssl.image 4.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.25 4.3 Verification MD5 (erg712449.Z) = 3a52615dfa14ef4ea7be1a4221fa7aed md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1. Download the erg712449.Z file to the /tmp directory on your machine. 2. As root, uncompress the file and add the package to your system using these commands: $ su Password: # uncompress /tmp/erg712449.Z # pkgadd -d /tmp/erg712449 # rm /tmp/erg712449 5. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 http://www.kb.cert.org/vuls/id/255484 http://www.kb.cert.org/vuls/id/380864 http://www.kb.cert.org/vuls/id/935264 http://www.openssl.org/news/secadv_20030930.txt http://www.uniras.gov.uk/vuls/2003/006489/tls.htm http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr885388 fz528383 erg712449. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank Dr. Stephen Henson who discovered a number of errors in the OpenSSL ASN1 code, using a test suite provided by NISCC (www.niscc.gov.uk). SCO would also like to thank NISCC for their research. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/fJpMaqoBO7ipriERAimTAKCD0Fc7lvB+U1Kcl7OWg8nvpW7BwgCcC5gB zjSCvwefmDABKJ6nszYaMOI= =+4qS -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html