Oracle Solaris Third-Party Patch Update : openssl (cve_2010_5298_race_conditions)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- Race condition in the ssl3_read_bytes function in
s3_pkt.c in OpenSSL through 1.0.1g, when
SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a
denial of service (use-after-free and parsing error) via
an SSL connection in a multithreaded environment.
(CVE-2010-5298)

- The ssl3_take_mac function in ssl/s3_both.c in OpenSSL
1.0.1 before 1.0.1f allows remote TLS servers to cause a
denial of service (NULL pointer dereference and
application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake. (CVE-2013-4353)

- The ssl_get_algorithm2 function in ssl/s3_lib.c in
OpenSSL before 1.0.2 obtains a certain version number
from an incorrect data structure, which allows remote
attackers to cause a denial of service (daemon crash)
via crafted traffic from a TLS 1.2 client.
(CVE-2013-6449)

- The DTLS retransmission implementation in OpenSSL 1.0.0
before 1.0.0l and 1.0.1 before 1.0.1f does not properly
maintain data structures for digest and encryption
contexts, which might allow man-in-the-middle attackers
to trigger the use of a different context and cause a
denial of service (application crash) by interfering
with packet delivery, related to ssl/d1_both.c and ssl/
t1_enc.c. (CVE-2013-6450)

- The Montgomery ladder implementation in OpenSSL through
1.0.0l does not ensure that certain swap operations have
a constant-time behavior, which makes it easier for
local users to obtain ECDSA nonces via a FLUSH+RELOAD
cache side-channel attack. (CVE-2014-0076)

- The dtls1_reassemble_fragment function in d1_both.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1
before 1.0.1h does not properly validate fragment
lengths in DTLS ClientHello messages, which allows
remote attackers to execute arbitrary code or cause a
denial of service (buffer overflow and application
crash) via a long non-initial fragment. (CVE-2014-0195)

- The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is
enabled, does not properly manage a buffer pointer
during certain recursive calls, which allows remote
attackers to cause a denial of service (NULL pointer
dereference and application crash) via vectors that
trigger an alert condition. (CVE-2014-0198)

- The dtls1_get_message_fragment function in d1_both.c in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1
before 1.0.1h allows remote attackers to cause a denial
of service (recursion and client crash) via a DTLS hello
message in an invalid DTLS handshake. (CVE-2014-0221)

- The ssl3_send_client_key_exchange function in s3_clnt.c
in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and
1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite
is used, allows remote attackers to cause a denial of
service (NULL pointer dereference and client crash) by
triggering a NULL certificate value. (CVE-2014-3470)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?ec97a688
http://www.nessus.org/u?55c93ba5
https://blogs.oracle.com/sunsecurity/entry/cve_2014_0195_buffer_errors
https://blogs.oracle.com/sunsecurity/entry/cve_2014_0198_buffer_errors
http://www.nessus.org/u?18770424
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3470_denial_of
http://www.nessus.org/u?df4641c9

Solution :

Upgrade to Solaris 11.1.20.5.0.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: Solaris Local Security Checks

Nessus Plugin ID: 80720 ()

Bugtraq ID:

CVE ID: CVE-2010-5298
CVE-2013-4353
CVE-2013-6449
CVE-2013-6450
CVE-2014-0076
CVE-2014-0195
CVE-2014-0198
CVE-2014-0221
CVE-2014-3470

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now