Apache Tomcat 8.0.x < 8.0.21 Multiple Vulnerabilities (FREAK)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat server is affected by multiple
vulnerabilities.

Description :

According to its self-reported version number, the Apache Tomcat
server listening on the remote host is 8.0.x prior to 8.0.21. It is,
therefore, affected by the following vulnerabilities :

- A NULL pointer dereference flaw exists when the SSLv3
option isn't enabled and an SSLv3 ClientHello is
received. This allows a remote attacker, using an
unexpected handshake, to crash the daemon, resulting in
a denial of service. (CVE-2014-3569)

- The BIGNUM squaring (BN_sqr) implementation does not
properly calculate the square of a BIGNUM value. This
allows remote attackers to defeat cryptographic
protection mechanisms. (CVE-2014-3570)

- A NULL pointer dereference flaw exists with
dtls1_get_record() when handling DTLS messages. A remote
attacker, using a specially crafted DTLS message, can
cause a denial of service. (CVE-2014-3571)

- A flaw exists with ECDH handshakes when using an ECDSA
certificate without a ServerKeyExchange message. This
allows a remote attacker to trigger a loss of forward
secrecy from the ciphersuite. (CVE-2014-3572)

- A flaw exists when accepting non-DER variations of
certificate signature algorithms and signature encodings
due to a lack of enforcement of matches between signed
and unsigned portions. A remote attacker, by including
crafted data within a certificate's unsigned portion,
can bypass fingerprint-based certificate-blacklist
protection mechanisms. (CVE-2014-8275)

- A security feature bypass vulnerability, known as FREAK
(Factoring attack on RSA-EXPORT Keys), exists due to the
support of weak EXPORT_RSA cipher suites with keys less
than or equal to 512 bits. A man-in-the-middle attacker
may be able to downgrade the SSL/TLS connection to use
EXPORT_RSA cipher suites which can be factored in a
short amount of time, allowing the attacker to intercept
and decrypt the traffic. (CVE-2015-0204)

- A flaw exists when accepting DH certificates for client
authentication without the CertificateVerify message.
This allows a remote attacker to authenticate to the
service without a private key. (CVE-2015-0205)

- A memory leak occurs in dtls1_buffer_record()
when handling a saturation of DTLS records containing
the same number sequence but for the next epoch. This
allows a remote attacker to cause a denial of service.
(CVE-2015-0206)

- A use-after-free condition exists in the
d2i_ECPrivateKey() function due to improper processing
of malformed EC private key files during import. A
remote attacker can exploit this to dereference or free
already freed memory, resulting in a denial of service
or other unspecified impact. (CVE-2015-0209)

- An invalid read flaw exists in the ASN1_TYPE_cmp()
function due to improperly performed boolean-type
comparisons. A remote attacker can exploit this, via a
crafted X.509 certificate to an endpoint that uses the
certificate-verification feature, to cause an invalid
read operation, resulting in a denial of service.
(CVE-2015-0286)

- A flaw exists in the ASN1_item_ex_d2i() function due to
a failure to reinitialize 'CHOICE' and 'ADB' data
structures when reusing a structure in ASN.1 parsing.
This allows a remote attacker to cause an invalid write
operation and memory corruption, resulting in a denial
of service. (CVE-2015-0287)

- A NULL pointer dereference flaw exists in the
X509_to_X509_REQ() function due to improper processing
of certificate keys. This allows a remote attacker, via
a crafted X.509 certificate, to cause a denial of
service. (CVE-2015-0288)

- A NULL pointer dereference flaw exists in the PKCS#7
parsing code due to incorrect handling of missing outer
ContentInfo. This allows a remote attacker, using an
application that processes arbitrary PKCS#7 data and
providing malformed data with ASN.1 encoding, to cause
a denial of service. (CVE-2015-0289)

- A flaw exists in servers that both support SSLv2 and
enable export cipher suites due to improper
implementation of SSLv2. A remote attacker can exploit
this, via a crafted CLIENT-MASTER-KEY message, to cause
a denial of service. (CVE-2015-0293)

Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number.

See also :

http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
https://www.openssl.org/news/openssl-1.0.1-notes.html
https://www.openssl.org/news/secadv/20150108.txt
https://www.openssl.org/news/vulnerabilities.html
https://www.smacktls.com/#freak
https://www.openssl.org/news/secadv/20150319.txt

Solution :

Upgrade to Apache Tomcat version 8.0.21 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now