TSA03-014TSA03-014 OpenSSL ASN.1 Encoding Vulnerability
Current Assessment: IMPORTANT
Initial Assessment: IMPORTANT
Current Assessment Date: September 30, 2003
Time: 15:30 UTC
Initial Assessment Date: September 30, 2003
Time: 15:30 UTC
Executive Summary:
OpenSSL is a code library that is used to provide cryptographic services primarily used by web servers conducting secure transactions. Installations that rely on SSL for securing web service transactions need to be aware of this vulnerability and upgrade if applicable. This will predominantly affect Apache web servers, but applies to all OpenSSL installations. At this time, there is no known impact on Windows installations. Administrators are advised to upgrade to the corrected versions of OpenSSL over the next week or two.
Threat: Low
There is not currently exploit code for this vulnerability in the wild, and it is not yet known if this vulnerability could be adapted to malicious code, such as the Linux.Slapper worm from September of 2002.
Vulnerability Prevalence: High
This OpenSSL vulnerability is most likely to affect Web servers or other applications which utilize SSL/TLS services provided by the OpenSSL libraries. OpenSSL is common to many e-commerce and web server applications and to most Unix/Linux installs by default.
Cost: High
Denial of Service on e-commerce servers and web servers is possible when this vulnerability is exploited. Execution of arbitrary code is possible under some conditions.
TruSecure Comments:
TruSecure will continue to monitor for the development of new tools and malicious code exploiting this vulnerability. TruSecure clients should also continue to monitor their applications for anomalous behavior.
If exploit code or malicious code is released exploiting this vulnerability this alert will be upgraded from IMPORTANT, and any additional information will be provided in an updated alert.
Summary:
OpenSSL.org has released a patch to address vulnerabilities in the ASN.1 coding for versions up to and including 0.9.6j and 0.9.7b. In addition, there are vulnerabilities in the error handling for the OpenSSL SSL/TLS protocol, such that a malicious client certificate could be accepted even though not requested and result in a Denial of Service (DoS) or potentially the execution of arbitrary code within the context of the web server or application.
Affected systems include:
Apple Mac OS X versions prior to 10.2.8
Red Hat Enterprise Linux
Red Hat Linux 7.1, 7.2, 7.3, 8.0 and 9.0
SSH Communications products
RSA Networks products
The vulnerabilities are also likely to affect a large number of other Linux and Unix distributions that include a vulnerable OpenSSL version by default.
MITIGATIONS:
Updated packages are being released by vendors. OpenSSL has released updated packages at the following link: http://www.openssl.org/source/
The OpenSSL security advisory describing this vulnerability can be found at: http://www.openssl.org/news/secadv_20030930.txt
Administrators are advised to upgrade to the corrected versions of OpenSSL over the next week or two. Many applications use OpenSSL to encrypt data or to verify certificates. Any such applications that are statically linked to vulnerable OpenSSL libraries need to be recompiled after updated packages are applied.
DISCLAIMER:
Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.
Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.
IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. | 
