Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.

According to its banner, the remote server is running a version of OpenSSL that is earlier than 0.9.7c. 

A remote attacker could trigger a denial of service or even execute arbitrary code by using an invalid client certificate.

According to its banner, the remote server is running a version of OpenSSL that is earlier than 0.9.6k. 

A remote attacker can trigger a denial of service by using an invalid client certificate.

s700_800 11.04 Webproxy server 2.1 update : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - Potential Apache HTTP server vulnerabilities have been     reported: CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT     VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224     CERT VU#732952 CERT VU#104280     http://www.openssl.org/news/secadv/20030930.txt.

  - Multiple stack-based buffer overflows in mod_alias and     mod_rewrite modules for Apache versions prior to 1.3.29.

s700_800 11.04 Virtualvault 4.7 TGP update : 

Potential Apache HTTP server vulnerabilities have been reported:
CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224 CERT VU#732952 CERT VU#104280 http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.04 Virtualvault 4.7 OWS update : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - Potential Apache HTTP server vulnerabilities have been     reported: CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT     VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224     CERT VU#732952 CERT VU#104280     http://www.openssl.org/news/secadv/20030930.txt.

  - Multiple stack-based buffer overflows in mod_alias and     mod_rewrite modules for Apache versions prior to 1.3.29.

s700_800 11.04 Virtualvault 4.7 IWS update : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - Multiple stack-based buffer overflows in mod_alias and     mod_rewrite modules for Apache versions prior to 1.3.29.

  - Potential Apache HTTP server vulnerabilities have been     reported: CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT     VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224     CERT VU#732952 CERT VU#104280     http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.04 Virtualvault 4.6 IWS update : 

Potential Apache HTTP server vulnerabilities have been reported:
CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224 CERT VU#732952 CERT VU#104280 http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.04 Virtualvault 4.5 IWS Update : 

Potential Apache HTTP server vulnerabilities have been reported:
CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224 CERT VU#732952 CERT VU#104280 http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.04 Virtualvault 4.6 TGP update : 

Potential Apache HTTP server vulnerabilities have been reported:
CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224 CERT VU#732952 CERT VU#104280 http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.04 Virtualvault 4.6 OWS update : 

Potential Apache HTTP server vulnerabilities have been reported:
CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224 CERT VU#732952 CERT VU#104280 http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.23 Bind 9.2.0 components : 

1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. More details are available at: CVE-2003-0545 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. More details are available at:
CVE-2003-0543 CVE-2003-0544 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Exploitation of an affected application would result in a denial of service vulnerability. 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested.

s700_800 11.04 Virtualvault 4.5 OWS update : 

Potential Apache HTTP server vulnerabilities have been reported:
CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224 CERT VU#732952 CERT VU#104280 http://www.openssl.org/news/secadv/20030930.txt.

s700_800 11.04 Webproxy server 2.0 update : 

The remote HP-UX host is affected by multiple vulnerabilities :

  - Potential Apache HTTP server vulnerabilities have been     reported: CVE-2003-0545 CVE-2003-0543 CVE-2003-0544 CERT     VU#935264 CERT VU#255484 CERT VU#255484 CERT VU#686224     CERT VU#732952 CERT VU#104280     http://www.openssl.org/news/secadv/20030930.txt.

  - Multiple stack-based buffer overflows in mod_alias and     mod_rewrite modules for Apache versions prior to 1.3.29.

Steve Henson of the OpenSSL core team identified and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code that were discovered after running a test suite by British National Infrastructure Security Coordination Centre (NISCC).

A bug in OpenSSLs SSL/TLS protocol was also identified which causes OpenSSL to parse a client certificate from an SSL/TLS client when it should reject it as a protocol error.

The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2003-0543 :
    Integer overflow in OpenSSL that allows remote attackers     to cause a denial of service (crash) via an SSL client     certificate with certain ASN.1 tag values.

  - CAN-2003-0544 :

    OpenSSL does not properly track the number of characters     in certain ASN.1 inputs, which allows remote attackers     to cause a denial of service (crash) via an SSL client     certificate that causes OpenSSL to read past the end of     a buffer when the long form is used.

  - CAN-2003-0545 :

    Double-free vulnerability allows remote attackers to     cause a denial of service (crash) and possibly execute     arbitrary code via an SSL client certificate with a     certain invalid ASN.1 encoding. This bug was only     present in OpenSSL 0.9.7 and is listed here only for     reference.

Dr. Stephen Henson (), using a test suite provided by NISCC (), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability.
However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended.

Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which could be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. Depending upon the application targetted, the effects seen will vary; in some cases a DoS (Denial of Service) could be performed, in others nothing noticeable or adverse may happen. These two vulnerabilities have been assigned CVE-2003-0543 and CVE-2003-0544.

Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. This can be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. This vulnerability may be exploitable to execute arbitrary code. This vulnerability has been assigned CVE-2003-0545.

The packages provided have been built with patches provided by the OpenSSL group that resolve these issues.

A number of server applications such as OpenSSH and Apache that make use of OpenSSL need to be restarted after the update has been applied to ensure that they are protected from these issues. Users are encouraged to restart all of these services or reboot their systems.

The remote host is missing the patch for the advisory SUSE-SA:2003:043 (openssl).


OpenSSL is an implementation of the Secure Socket Layer (SSL v2/3) and Transport Layer Security (TLS v1) protocol.
While checking the openssl implementation with a tool-kit from NISCC several errors were revealed most are ASN.1 encoding issues that causes a remote denial-of-service attack on the server side and possibly lead to remote command execution.

There are two problems with ASN.1 encoding that can be triggered either by special ASN.1 encodings or by special ASN.1 tags.

In debugging mode public key decoding errors can be ignored but also lead to a crash of the verify code if an invalid public key was received from the client.

A mistake in the SSL/TLS protocol handling will make the server accept client certificates even if they are not requested. This bug makes it possible to exploit the bugs mentioned above even if client authentication is disabled.

There is not other solution known to this problem then updating to the current version from our FTP servers.

To make this update effective, restart all servers using openssl please.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

Updated OpenSSL packages are available that fix ASN.1 parsing vulnerabilities.

OpenSSL is a commercial-grade, full-featured, and open source toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

NISCC testing of implementations of the SSL protocol uncovered two bugs in OpenSSL 0.9.6. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash. A remote attacker could trigger this bug by sending a carefully crafted SSL client certificate to an application.
The effects of such an attack vary depending on the application targetted; against Apache the effects are limited, as the attack would only cause child processes to die and be replaced. An attack against other applications that use OpenSSL could result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2003-0543 and CVE-2003-0544 to this issue.

These erratum packages contain a patch provided by the OpenSSL group that protects against this issue.

Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or reboot their systems after installing these updates.

Red Hat would like to thank NISCC and Stephen Henson for their work on this vulnerability.

These packages also include a patch from OpenSSL 0.9.6f which removes the calls to abort the process in certain circumstances. Red Hat would like to thank Patrik Hornik for notifying us of this issue.

The remote host seems to be running a version of OpenSSL that is older than 0.9.6k or 0.9.7c.

There is a heap corruption bug in this version that might be exploited by an attacker to execute arbitrary code on the remote host with the privileges of the remote service.

ID	Name	Product	Family	Severity
17753	OpenSSL < 0.9.7c ASN.1 Decoding Vulnerabilities	Nessus	Web Servers	critical
17748	OpenSSL < 0.9.6k Denial of Service	Nessus	Web Servers	medium
17514	HP-UX PHSS_30058 : s700_800 11.04 Webproxy server 2.1 update	Nessus	HP-UX Local Security Checks	critical
17513	HP-UX PHSS_30057 : HPSBUX0310-284 SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service,unauthorized access	Nessus	HP-UX Local Security Checks	critical
17512	HP-UX PHSS_30056 : s700_800 11.04 Virtualvault 4.7 OWS update	Nessus	HP-UX Local Security Checks	critical
17511	HP-UX PHSS_30055 : s700_800 11.04 Virtualvault 4.7 IWS update	Nessus	HP-UX Local Security Checks	critical
17510	HP-UX PHSS_29893 : HPSBUX0310-284 SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service,unauthorized access	Nessus	HP-UX Local Security Checks	critical
17509	HP-UX PHSS_29892 : HPSBUX0310-284 SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service,unauthorized access	Nessus	HP-UX Local Security Checks	critical
17508	HP-UX PHSS_29891 : HPSBUX0310-284 SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service,unauthorized access	Nessus	HP-UX Local Security Checks	critical
17507	HP-UX PHSS_29691 : HPSBUX0310-284 SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service,unauthorized access	Nessus	HP-UX Local Security Checks	critical
16912	HP-UX PHNE_31726 : HP-UX Running BIND v920, Remote Denial of Service (DoS) (HPSBUX00290 SSRT3622 rev.5)	Nessus	HP-UX Local Security Checks	critical
16631	HP-UX PHSS_29690 : HPSBUX0310-284 SSRT3622 rev.3 HP-UX Apache HTTP Server Denial of Service,unauthorized access	Nessus	HP-UX Local Security Checks	critical
16588	HP-UX PHSS_29894 : s700_800 11.04 Webproxy server 2.0 update	Nessus	HP-UX Local Security Checks	critical
15231	Debian DSA-394-1 : openssl095 - ASN.1 parsing vulnerability	Nessus	Debian Local Security Checks	critical
15230	Debian DSA-393-1 : openssl - denial of service	Nessus	Debian Local Security Checks	medium
14080	Mandrake Linux Security Advisory : openssl (MDKSA-2003:098)	Nessus	Mandriva Local Security Checks	critical
13811	SUSE-SA:2003:043: openssl	Nessus	SuSE Local Security Checks	critical
12425	RHEL 2.1 : openssl (RHSA-2003:293)	Nessus	Red Hat Local Security Checks	medium
11875	OpenSSL ASN.1 Parser Multiple Remote DoS	Nessus	Misc.	high

Detections

Analytics

CVE-2003-0543

high

Tenable Plugins

critical

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

medium

critical

critical

medium

high