The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl098e packages installed that are affected by multiple vulnerabilities:

  - OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d     allows remote attackers to cause a denial of service     (infinite loop and memory consumption) via malformed     ASN.1 structures that trigger an improperly handled     error condition. (CVE-2006-2937)

  - OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions allows attackers to cause a denial of     service (CPU consumption) via parasitic public keys with     large (1) public exponent or (2) public modulus     values in X.509 certificates that require extra time to     process when using RSA signature verification.
    (CVE-2006-2940)

  - Buffer overflow in the SSL_get_shared_ciphers function     in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions has unspecified impact and remote     attack vectors involving a long list of ciphers.
    (CVE-2006-3738)

  - OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8     before 0.9.8c, when using an RSA key with exponent 3,     removes PKCS-1 padding before generating a hash, which     allows remote attackers to forge a PKCS #1 v1.5     signature that is signed by that RSA key and prevents     OpenSSL from correctly verifying X.509 and other     certificates that use PKCS #1. (CVE-2006-4339)

  - The get_server_hello function in the SSLv2 client code     in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions allows remote servers to cause a denial     of service (client crash) via unknown vectors that     trigger a null pointer dereference. (CVE-2006-4343)

  - The BN_from_montgomery function in crypto/bn/bn_mont.c     in OpenSSL 0.9.8e and earlier does not properly perform     Montgomery multiplication, which might allow local users     to conduct a side-channel attack and retrieve RSA     private keys. (CVE-2007-3108)

  - Off-by-one error in the DTLS implementation in OpenSSL     0.9.8 before 0.9.8f allows remote attackers to execute     arbitrary code via unspecified vectors. (CVE-2007-4995)

  - Off-by-one error in the SSL_get_shared_ciphers function     in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f,     might allow remote attackers to execute arbitrary code     via a crafted packet that triggers a one-byte buffer     underflow. NOTE: this issue was introduced as a result     of a fix for CVE-2006-3738. As of 20071012, it is     unknown whether code execution is possible.
    (CVE-2007-5135)

  - OpenSSL 0.9.8i and earlier does not properly check the     return value from the EVP_VerifyFinal function, which     allows remote attackers to bypass validation of the     certificate chain via a malformed SSL/TLS signature for     DSA and ECDSA keys. (CVE-2008-5077)

  - The ASN1_STRING_print_ex function in OpenSSL before     0.9.8k allows remote attackers to cause a denial of     service (invalid memory access and application crash)     via vectors that trigger printing of a (1) BMPString or     (2) UniversalString with an invalid encoded length.
    (CVE-2009-0590)

  - The dtls1_buffer_record function in ssl/d1_pkt.c in     OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote     attackers to cause a denial of service (memory     consumption) via a large series of future epoch DTLS     records that are buffered in a queue, aka DTLS record     buffer limitation bug. (CVE-2009-1377)

  - Multiple memory leaks in the     dtls1_process_out_of_seq_message function in     ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8     versions allow remote attackers to cause a denial of     service (memory consumption) via DTLS records that (1)     are duplicates or (2) have sequence numbers much greater     than current sequence numbers, aka DTLS fragment     handling memory leak. (CVE-2009-1378)

  - Use-after-free vulnerability in the     dtls1_retrieve_buffered_fragment function in     ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote     attackers to cause a denial of service (openssl s_client     crash) and possibly have unspecified other impact via a     DTLS packet, as demonstrated by a packet from a server     that uses a crafted server certificate. (CVE-2009-1379)

  - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote     attackers to cause a denial of service (NULL pointer     dereference and daemon crash) via a DTLS     ChangeCipherSpec packet that occurs before ClientHello.
    (CVE-2009-1386)

  - The dtls1_retrieve_buffered_fragment function in     ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows     remote attackers to cause a denial of service (NULL     pointer dereference and daemon crash) via an out-of-     sequence DTLS handshake message, related to a fragment     bug. (CVE-2009-1387)

  - The Network Security Services (NSS) library before     3.12.3, as used in Firefox; GnuTLS before 2.6.4 and     2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products     support MD2 with X.509 certificates, which might allow     remote attackers to spoof certificates by using MD2     design flaws to generate a hash collision in less than     brute-force time. NOTE: the scope of this issue is     currently limited because the amount of computation     required is still large. (CVE-2009-2409)

  - OpenSSL before 0.9.8m does not check for a NULL return     value from bn_wexpand function calls in (1)     crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3)     crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which     has unspecified impact and context-dependent attack     vectors. (CVE-2009-3245)

  - The TLS protocol, and the SSL protocol 3.0 and possibly     earlier, as used in Microsoft Internet Information     Services (IIS) 7.0, mod_ssl in the Apache HTTP Server     2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5     and earlier, Mozilla Network Security Services (NSS)     3.12.4 and earlier, multiple Cisco products, and other     products, does not properly associate renegotiation     handshakes with an existing connection, which allows     man-in-the-middle attackers to insert data into HTTPS     sessions, and possibly other types of sessions protected     by TLS or SSL, by sending an unauthenticated request     that is processed retroactively by a server in a post-     renegotiation context, related to a plaintext     injection attack, aka the Project Mogul issue.
    (CVE-2009-3555)

  - Memory leak in the zlib_stateful_finish function in     crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and     1.0.0 Beta through Beta 4 allows remote attackers to     cause a denial of service (memory consumption) via     vectors that trigger incorrect calls to the     CRYPTO_cleanup_all_ex_data function, as demonstrated by     use of SSLv3 and PHP with the Apache HTTP Server, a     related issue to CVE-2008-1678. (CVE-2009-4355)

  - The kssl_keytab_is_available function in ssl/kssl.c in     OpenSSL before 0.9.8n, when Kerberos is enabled but     Kerberos configuration files cannot be opened, does not     check a certain return value, which allows remote     attackers to cause a denial of service (NULL pointer     dereference and daemon crash) via SSL cipher     negotiation, as demonstrated by a chroot installation of     Dovecot or stunnel without Kerberos configuration files     inside the chroot. (CVE-2010-0433)

  - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c     in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1     before 1.0.1a does not properly interpret integer data,     which allows remote attackers to conduct buffer overflow     attacks, and cause a denial of service (memory     corruption) or possibly have unspecified other impact,     via crafted DER data, as demonstrated by an X.509     certificate or an RSA public key. (CVE-2012-2110)

  - The TLS protocol 1.2 and earlier, as used in Mozilla     Firefox, Google Chrome, Qt, and other products, can     encrypt compressed data without properly obfuscating the     length of the unencrypted data, which allows man-in-the-     middle attackers to obtain plaintext HTTP headers by     observing length differences during a series of guesses     in which a string in an HTTP request potentially matches     an unknown string in an HTTP header, aka a CRIME     attack. (CVE-2012-4929)

  - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1     before 1.0.1d does not properly perform signature     verification for OCSP responses, which allows remote     OCSP servers to cause a denial of service (NULL pointer     dereference and application crash) via an invalid key.
    (CVE-2013-0166)

  - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0     and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and     other products, do not properly consider timing side-     channel attacks on a MAC check requirement during the     processing of malformed CBC padding, which allows remote     attackers to conduct distinguishing attacks and     plaintext-recovery attacks via statistical analysis of     timing data for crafted packets, aka the Lucky     Thirteen issue. (CVE-2013-0169)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a     memory-cache side-channel attack on ECDSA signatures     that can be mitigated through the use of blinding     during the signing process in the _gcry_ecc_ecdsa_sign     function in cipher/ecc-ecdsa.c, aka the Return Of the     Hidden Number Problem or ROHNP. To discover an ECDSA     key, the attacker needs access to either the local     machine or a different virtual machine on the same     physical host.(CVE-2018-0495)

  - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1     before 1.0.1d does not properly perform signature     verification for OCSP responses, which allows remote     OCSP servers to cause a denial of service (NULL pointer     dereference and application crash) via an invalid     key.(CVE-2013-0166)

  - OpenSSL 1.0.2 (starting from version 1.0.2b) introduced     an 'error state' mechanism. The intent was that if a     fatal error occurred during a handshake then OpenSSL     would move into the error state and would immediately     fail if you attempted to continue the handshake. This     works as designed for the explicit handshake functions     (SSL_do_handshake(), SSL_accept() and SSL_connect()),     however due to a bug it does not work correctly if     SSL_read() or SSL_write() is called directly. In that     scenario, if the handshake fails then a fatal error     will be returned in the initial function call. If     SSL_read()/SSL_write() is subsequently called by the     application for the same SSL object then it will     succeed and the data is passed without being     decrypted/encrypted directly from the SSL/TLS record     layer. In order to exploit this issue an application     bug would have to be present that resulted in a call to     SSL_read()/SSL_write() being issued after having     already received a fatal error. OpenSSL version     1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n.
    OpenSSL 1.1.0 is not affected.(CVE-2017-3737)

  - An out-of-bounds write flaw was found in the way     OpenSSL reused certain ASN.1 structures. A remote     attacker could possibly use a specially crafted ASN.1     structure that, when parsed by an application, would     cause that application to crash.(CVE-2015-0287)

  - It was found that OpenSSL clients and servers could be     forced, via a specially crafted handshake packet, to     use weak keying material for communication. A     man-in-the-middle attacker could use this flaw to     decrypt and modify traffic between a client and a     server.(CVE-2014-0224)

  - There is an overflow bug in the AVX2 Montgomery     multiplication procedure used in exponentiation with     1024-bit moduli. No EC algorithms are affected.
    Analysis suggests that attacks against RSA and DSA as a     result of this defect would be very difficult to     perform and are not believed likely. Attacks against     DH1024 are considered just feasible, because most of     the work necessary to deduce information about a     private key may be performed offline. The amount of     resources required for such an attack would be     significant. However, for an attack on TLS to be     meaningful, the server would have to share the DH1024     private key among multiple clients, which is no longer     an option since CVE-2016-0701. This only affects     processors that support the AVX2 but not ADX extensions     like Intel Haswell (4th generation). Note: The impact     from this issue is similar to CVE-2017-3736,     CVE-2017-3732 and CVE-2015-3193. OpenSSL version     1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in     OpenSSL 1.0.2n. Due to the low severity of this issue     we are not issuing a new release of OpenSSL 1.1.0 at     this time. The fix will be included in OpenSSL 1.1.0h     when it becomes available. The fix is also available in     commit e502cc86d in the OpenSSL git     repository.(CVE-2017-3738)

  - The ssl3_send_client_key_exchange function in s3_clnt.c     in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and     1.0.1 before 1.0.1h, when an anonymous ECDH cipher     suite is used, allows remote attackers to cause a     denial of service (NULL pointer dereference and client     crash) by triggering a NULL certificate     value.(CVE-2014-3470)

  - It was discovered that the SSLv2 protocol     implementation in OpenSSL did not properly implement     the Bleichenbacher protection for export cipher suites.
    An attacker could use a SSLv2 server using OpenSSL as a     Bleichenbacher oracle.(CVE-2016-0704)

  - A NULL pointer dereference flaw was found in the way     OpenSSL performed a handshake when using the anonymous     Diffie-Hellman (DH) key exchange. A malicious server     could cause a DTLS client using OpenSSL to crash if     that client had anonymous DH cipher suites     enabled.(CVE-2014-3510)

  - While parsing an IPAddressFamily extension in an X.509     certificate, it is possible to do a one-byte overread.
    This would result in an incorrect text display of the     certificate. This bug has been present since 2006 and     is present in all versions of OpenSSL before 1.0.2m and     1.1.0g.(CVE-2017-3735)

  - The Network Security Services (NSS) library before     3.12.3, as used in Firefox GnuTLS before 2.6.4 and     2.7.4 OpenSSL 0.9.8 through 0.9.8k and other products     support MD2 with X.509 certificates, which might allow     remote attackers to spoof certificates by using MD2     design flaws to generate a hash collision in less than     brute-force time. NOTE: the scope of this issue is     currently limited because the amount of computation     required is still large.(CVE-2009-2409)

  - Constructed ASN.1 types with a recursive definition     (such as can be found in PKCS7) could eventually exceed     the stack given malicious input with excessive     recursion. This could result in a Denial Of Service     attack. There are no such structures used within     SSL/TLS that come from untrusted sources so this is     considered safe. Fixed in OpenSSL 1.1.0h (Affected     1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected     1.0.2b-1.0.2n).(CVE-2018-0739)

  - During key agreement in a TLS handshake using a DH(E)     based ciphersuite a malicious server can send a very     large prime value to the client. This will cause the     client to spend an unreasonably long period of time     generating a key for this prime resulting in a hang     until the client has finished. This could be exploited     in a Denial Of Service attack. Fixed in OpenSSL     1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL     1.0.2p-dev (Affected 1.0.2-1.0.2o).(CVE-2018-0732)

  - A NULL pointer dereference was found in the way OpenSSL     handled certain PKCS#7 inputs. An attacker able to make     an application using OpenSSL verify, decrypt, or parse     a specially crafted PKCS#7 input could cause that     application to crash. TLS/SSL clients and servers using     OpenSSL were not affected by this flaw.(CVE-2015-0289)

  - A flaw was discovered in the way OpenSSL handled DTLS     packets. A remote attacker could use this flaw to cause     a DTLS server or client using OpenSSL to crash or use     excessive amounts of memory.(CVE-2014-3506)

  - The kssl_keytab_is_available function in ssl/kssl.c in     OpenSSL before 0.9.8n, when Kerberos is enabled but     Kerberos configuration files cannot be opened, does not     check a certain return value, which allows remote     attackers to cause a denial of service (NULL pointer     dereference and daemon crash) via SSL cipher     negotiation, as demonstrated by a chroot installation     of Dovecot or stunnel without Kerberos configuration     files inside the chroot.(CVE-2010-0433)

  - It was discovered that OpenSSL would accept ephemeral     RSA keys when using non-export RSA cipher suites. A     malicious server could make a TLS/SSL client using     OpenSSL use a weaker key exchange     method.(CVE-2015-0204)

  - It was found that OpenSSL's BigNumber Squaring     implementation could produce incorrect results under     certain special conditions. This flaw could possibly     affect certain OpenSSL library functionality, such as     RSA blinding. Note that this issue occurred rarely and     with a low probability, and there is currently no known     way of exploiting it.(CVE-2014-3570)

  - It was discovered that the OBJ_obj2txt() function could     fail to properly NUL-terminate its output. This could     possibly cause an application using OpenSSL functions     to format fields of X.509 certificates to disclose     portions of its memory.(CVE-2014-3508)

  - OpenSSL RSA key generation was found to be vulnerable     to cache side-channel attacks. An attacker with     sufficient access to mount cache timing attacks during     the RSA key generation process could recover parts of     the private key.(CVE-2018-0737)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - Berkeley DB NSS module
  - cURL / libcURL
  - GnuTLS
  - Network Security Services (NSS) Library
  - OpenLDAP
  - OpenSSL
  - OpenSSL Kerberos
  - sudo

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - Apache Tomcat 
  - Apache Tomcat Manager
  - cURL 
  - Java Runtime Environment (JRE)
  - Kernel 
  - Microsoft SQL Express
  - OpenSSL
  - pam_krb5

The remote OracleVM system is missing necessary patches to address critical security updates :

  - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability

  - replace expired GlobalSign Root CA certificate in     ca-bundle.crt

  - fix for CVE-2013-0169 - SSL/TLS CBC timing attack     (#907589)

  - fix for CVE-2013-0166 - DoS in OCSP signatures checking     (#908052)

  - enable compression only if explicitly asked for or     OPENSSL_DEFAULT_ZLIB environment variable is set (fixes     CVE-2012-4929 #857051)

  - use __secure_getenv everywhere instead of getenv     (#839735)

  - fix for CVE-2012-2333 - improper checking for record     length in DTLS (#820686)

  - fix for CVE-2012-2110 - memory corruption in     asn1_d2i_read_bio (#814185)

  - fix problem with the SGC restart patch that might     terminate handshake incorrectly

  - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7     code (#802725)

  - fix for CVE-2012-1165 - NULL read dereference on bad     MIME headers (#802489)

  - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext     recovery vulnerability and additional DTLS fixes     (#771770)

  - fix for CVE-2011-4109 - double free in policy checks     (#771771)

  - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding     (#771775)

  - fix for CVE-2011-4619 - SGC restart DoS attack (#771780)

  - add known answer test for SHA2 algorithms (#740866)

  - make default private key length in certificate Makefile     2048 bits (can be changed with PRIVATE_KEY_BITS setting)     (#745410)

  - fix incorrect return value in parse_yesno (#726593)

  - added DigiCert CA certificates to ca-bundle (#735819)

  - added a new section about error states to README.FIPS     (#628976)

  - add missing DH_check_pub_key call when DH key is     computed (#698175)

  - presort list of ciphers available in SSL (#688901)

  - accept connection in s_server even if getaddrinfo fails     (#561260)

  - point to openssl dgst for list of supported digests     (#608639)

  - fix handling of future TLS versions (#599112)

  - added VeriSign Class 3 Public Primary Certification     Authority - G5 and StartCom Certification Authority     certs to ca-bundle (#675671, #617856)

  - upstream fixes for the CHIL engine (#622003, #671484)

  - add SHA-2 hashes in SSL_library_init (#676384)

  - fix CVE-2010-4180 - completely disable code for     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)

  - fix CVE-2009-3245 - add missing bn_wexpand return checks     (#570924)

  - fix CVE-2010-0433 - do not pass NULL princ to     krb5_kt_get_entry which in the RHEL-5 and newer versions     will crash in such case (#569774)

  - fix CVE-2009-3555 - support the safe renegotiation     extension and do not allow legacy renegotiation on the     server by default (#533125)

  - fix CVE-2009-2409 - drop MD2 algorithm from EVP tables     (#510197)

  - fix CVE-2009-4355 - do not leak memory when     CRYPTO_cleanup_all_ex_data is called prematurely by     application (#546707)

The version of OpenSSL running on the remote host is affected by the following vulnerabilities :

  - In TLS connections, certain incorrectly formatted     records can cause an OpenSSL client or server to crash     due to a read attempt at NULL. OpenSSL before 0.9.8m     does not check for a NULL return value from bn_wexpand     function calls in (1) crypto/bn/bn_div.c, (2)     crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4)     engines e_ubsec.c, which has an unspecified impact and     context-dependent attack vectors. (CVE-2009-3245)

  - The kssl_keytab_is_available function in ssl/kssl.c in     OpenSSL before 0.9.8n, when Kerberos is enabled but     Kerberos configuration files cannot be opened, does not     check a certain return value, which allows remote     attackers to cause a denial of service (NULL pointer     dereference and daemon crash) via SSL cipher     negotiation, as demonstrated by a chroot installation of     Dovecot or stunnel without Kerberos configuration files     inside the chroot. (CVE-2010-0433)

  - The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL     0.9.8f through 0.9.8m allows remote attackers to cause a     denial of service (crash) via a malformed record in a     TLS connection that triggers a NULL pointer dereference,     related to the minor version number. (CVE-2010-0740)

From Red Hat Security Advisory 2010:0162 :

Updated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code.
(CVE-2009-3245)

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw:
http://kbase.redhat.com/faq/docs/DOC-20491

A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake.
(CVE-2010-0433)

All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

CVE-2009-3555 TLS: MITM attacks via session renegotiation

CVE-2010-0433 openssl: crash caused by a missing krb5_sname_to_principal() return value check

CVE-2009-3245 openssl: missing bn_wexpand return value checks

It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code.
(CVE-2009-3245)

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw:
http://kbase.redhat.com/faq/docs/DOC-20491

A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake.
(CVE-2010-0433)

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

The remote host is affected by the vulnerability described in GLSA-201110-01 (OpenSSL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSSL. Please review       the CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could cause a Denial of Service, possibly       execute arbitrary code, bypass intended key requirements, force the       downgrade to unintended ciphers, bypass the need for knowledge of shared       secrets and successfully authenticate, bypass CRL validation, or obtain       sensitive information in applications that use OpenSSL.
  Workaround :

    There is no known workaround at this time.

a. vCenter Server and vCenter Update Manager update Microsoft    SQL Server 2005 Express Edition to Service Pack 3

   Microsoft SQL Server 2005 Express Edition (SQL Express)    distributed with vCenter Server 4.1 Update 1 and vCenter Update    Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2    to SQL Express Service Pack 3, to address multiple security    issues that exist in the earlier releases of Microsoft SQL Express.

   Customers using other database solutions need not update for    these issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,    CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL    Express Service Pack 3.

b. vCenter Apache Tomcat Management Application Credential Disclosure

   The Apache Tomcat Manager application configuration file contains    logon credentials that can be read by unprivileged local users.

   The issue is resolved by removing the Manager application in    vCenter 4.1 Update 1.

   If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon    credentials are not present in the configuration file after the    update.

   VMware would like to thank Claudio Criscione of Secure Networking    for reporting this issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-2928 to this issue.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version    1.6.0_21

   Oracle (Sun) JRE update to version 1.6.0_21, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,    CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,    CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,    CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,    CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,    CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,    CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,    CVE-2010-0850.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following name to the security issue fixed in    Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

d. vCenter Update Manager Oracle (Sun) JRE is updated to version   1.5.0_26

   Oracle (Sun) JRE update to version 1.5.0_26, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,    CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,    CVE-2010-3565,CVE-2010-3568, CVE-2010-3569,  CVE-2009-3555,    CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,    CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,    CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,    CVE-2010-3574.

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

   Apache Tomcat updated to version 6.0.28, which addresses multiple    security issues that existed in earlier releases of Apache Tomcat

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i    and CVE-2009-3548.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

f. vCenter Server third-party component OpenSSL updated to version    0.9.8n

   The version of the OpenSSL library in vCenter Server is updated to    0.9.8n.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-0740 and CVE-2010-0433 to the    issues addressed in this version of OpenSSL.

g. ESX third-party component OpenSSL updated to version 0.9.8p

   The version of the ESX OpenSSL library is updated to 0.9.8p.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3864 and CVE-2010-2939 to the    issues addressed in this update.

h. ESXi third-party component cURL updated

   The version of cURL library in ESXi is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0734 to the issues addressed in    this update.

i. ESX third-party component pam_krb5 updated

   The version of pam_krb5 library is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-3825 and CVE-2009-1384 to the    issues addressed in the update.

j. ESX third-party update for Service Console kernel

   The Service Console kernel is updated to include kernel version    2.6.18-194.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,    CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,    CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,    CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,    CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,    CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,    CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and    CVE-2010-3081 to the issues addressed in the update.

   Notes :
   - The update also addresses the 64-bit compatibility mode    stack pointer underflow issue identified by CVE-2010-3081. This    issue was patched in an ESX 4.1 patch prior to the release of    ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.
   - The update also addresses CVE-2010-2240 for ESX 4.0.

a. Service Console update for NSS_db

   The service console package NSS_db is updated to version    nss_db-2.2-35.4.el5_5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0826 to this issue.

b. Service Console update for OpenLDAP

   The service console package OpenLDAP updated to version    2.3.43-12.el5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-3767 to this issue.

c. Service Console update for cURL

   The service console packages for cURL updated to version    7.15.5-9.el5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0734 to this issue.

d. Service Console update for sudo

   The service console package sudo updated to version 1.7.2p1-7.el5_5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-1646 to this issue.

e. Service Console update for OpenSSL, GnuTLS, NSS and NSPR

   Service Console updates for OpenSSL to version 097a-0.9.7a-9.el5_4.2    and version 0.9.8e-12.el5_4.6, GnuTLS to version 1.4.1-3.el5_4.8,    and NSS to version 3.12.6-1.3235.vmw and NSPR to version    4.8.4-1.3235.vmw. These four updates are bundled together due to    their mutual dependencies.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-3555, CVE-2009-2409, CVE-2009-3245    and CVE-2010-0433 to the issues addressed in this update.

This update fixes multiple bugs and security issues. It especially adds support for RFC5746.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to final release of upstream version 1.0.0. The update fixes important security vulnerabilities: CVE-2009-3245, CVE-2009-4355, CVE-2010-0433, and CVE-2010-0740. Refer to upstream CHANGES file for the detailed list of changes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to upstream version 0.9.8n fixing multiple security issues:
CVE-2009-3555, CVE-2009-3245, CVE-2009-4355, and CVE-2010-0433. Refer to upstream CHANGES file for the detailed list of changes since version 0.9.8k :

  -     http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.12     38.2.193

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated openssl packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could cause an application using the OpenSSL library to crash or, possibly, execute arbitrary code.
(CVE-2009-3245)

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website). This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about the CVE-2009-3555 flaw:
http://kbase.redhat.com/faq/docs/DOC-20491

A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to crash a TLS/SSL server using OpenSSL by requesting Kerberos cipher suites during the TLS handshake.
(CVE-2010-0433)

All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

This update fixes several security issues in openssl :

  - The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL     0.9.8f through 0.9.8m allows remote attackers to cause a     denial of service (crash) via a malformed record in a     TLS connection (CVE-2010-0740)

  - OpenSSL before 0.9.8m does not check for a NULL return     value from bn_wexpand function calls which has     unspecified impact and context-dependent attack vectors     (CVE-2009-3245)

  - The kssl_keytab_is_available function in ssl/kssl.c in     OpenSSL before 0.9.8n, when Kerberos is enabled but     Kerberos configuration files cannot be opened, could     allow remote attackers to cause a denial of service     (NULL pointer dereference and daemon crash)     (CVE-2010-0433)

  - Finally, this update provides support for secure     renegotiation, preventing men-in-the-middle attacks     (CVE-2009-3555).

Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products.

Update :

Packages for 2009.0 are provided due to the Extended Maintenance Program.

New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, and -current to fix security issues.

According to its banner, the remote web server is running a version of OpenSSL older than 0.9.8n.  Such versions have the following vulnerabilities : 

  - Kerberos-enabled versions of OpenSSL do not check the return value when Kerberos configuration files cannot be opened, leading to a crash. (CVE-2010-0433)

  - Rejecting a SSL/TLS record with and incorrect version number can lead to a crash.  This only affects version 0.9.8m if a 'short' is 1 bits.  Otherwise it affects all versions back to and including 0.9.8f. (CVE-2010-0740)

According to its banner, the remote web server is running a version of OpenSSL older than 0.9.8n.  Such versions have the following vulnerabilities :

  - Kerberos-enabled versions of OpenSSL do not check     the return value when Kerberos configuration files     cannot be opened, leading to a crash. (CVE-2010-0433)

  - Rejecting a SSL/TLS record with an incorrect version     number can lead to a crash.  This only affects version     0.9.8m if a 'short' is 16 bits.  Otherwise, it affects     all versions back to and including 0.9.8f.     (CVE-2010-0740)

ID	Name	Product	Family	Severity
127177	NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)	Nessus	NewStart CGSL Local Security Checks	critical
124999	EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1546)	Nessus	Huawei Local Security Checks	high
89742	VMware ESX Multiple Vulnerabilities (VMSA-2010-0015) (remote check)	Nessus	VMware ESX Local Security Checks	critical
89674	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)	Nessus	Misc.	high
79532	OracleVM 3.2 : onpenssl (OVMSA-2014-0008)	Nessus	OracleVM Local Security Checks	high
79531	OracleVM 2.2 : openssl (OVMSA-2014-0007)	Nessus	OracleVM Local Security Checks	high
73559	AIX OpenSSL Advisory : openssl_advisory.asc	Nessus	AIX Local Security Checks	critical
68016	Oracle Linux 5 : openssl (ELSA-2010-0162)	Nessus	Oracle Linux Local Security Checks	critical
60759	Scientific Linux Security Update : openssl on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
56425	GLSA-201110-01 : OpenSSL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
51971	VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX	Nessus	VMware ESX Local Security Checks	high
49703	VMSA-2010-0015 : VMware ESX third-party updates for Service Console	Nessus	VMware ESX Local Security Checks	critical
47509	Fedora 12 : openssl-1.0.0-4.fc12 (2010-8742)	Nessus	Fedora Local Security Checks	critical
47405	Fedora 13 : openssl-1.0.0-1.fc13 (2010-5744)	Nessus	Fedora Local Security Checks	critical
47385	Fedora 11 : openssl-0.9.8n-1.fc11 (2010-5357)	Nessus	Fedora Local Security Checks	critical
46273	RHEL 5 : openssl (RHSA-2010:0162)	Nessus	Red Hat Local Security Checks	critical
45563	Mandriva Linux Security Advisory : openssl (MDVSA-2010:076-1)	Nessus	Mandriva Local Security Checks	critical
45400	Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / current : openssl (SSA:2010-090-01)	Nessus	Slackware Local Security Checks	medium
45362	CentOS 5 : openssl (CESA-2010:0162)	Nessus	CentOS Local Security Checks	critical
801060	OpenSSL < 0.9.8n Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
5487	OpenSSL < 0.9.8n Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
45359	OpenSSL < 0.9.8n Multiple Vulnerabilities	Nessus	Web Servers	medium

Detections

Analytics

CVE-2010-0433

high

Tenable Plugins

critical

high

critical

high

high

high

critical

critical

critical

critical

high

critical

critical

critical

critical

critical

critical

medium

critical

medium

medium

medium