From security@sco.com Tue Nov 15 14:03:38 2005 From: security@sco.com To: security-announce@list.sco.com Date: Tue, 15 Nov 2005 13:56:54 -0500 (EST) Subject: [Full-disclosure] SCOSA-2005.48 UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability Advisory number: SCOSA-2005.48 Issue date: 2005 November 15 Cross reference: fz533160 CVE-2005-2969 ______________________________________________________________________________ 1. Problem Description A vulnerability has been found in OpenSSL which potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third-party software that might prevent interoperability. The SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only. Applications using neither SSL_OP_MSIE_SSLV2_RSA_PADDING nor SSL_OP_ALL are not affected. Also, applications that disable use of SSL 2.0 are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2969 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.3 All earlier OpenSSL distributions UnixWare 7.1.4 All earlier OpenSSL distributions 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.3 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.48 4.2 Verification MD5 (openssl-0.9.7i.image) = 528a4e250fe58da796bf17c71b46c48b md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download openssl-0.9.7i.image to the /var/spool/pkg directory. # pkgadd -d /var/spool/pkg/openssl-0.9.7i.image 5. UnixWare 7.1.4 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.48 5.2 Verification MD5 (openssl-0.9.7i.image) = 528a4e250fe58da796bf17c71b46c48b md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download openssl-0.9.7i.image to the /var/spool/pkg directory. # pkgadd -d /var/spool/pkg/openssl-0.9.7i.image 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969 http://www.openssl.org/news/secadv_20051011.txt SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents fz533160. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (UnixWare) iD8DBQFDeivIaqoBO7ipriERApy+AJ9R0xNIZA4uHFvKZOmxiir77ZIFhQCggUyy ATHvbNOkKn7sYBLOkLK1wBg= =AX7f -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/