FreeBSD : FreeBSD -- Multiple OpenSSL vulnerabilities (7b1a4a27-600a-11e6-a6c3-14dae9d210b8) (DROWN)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

A cross-protocol attack was discovered that could lead to decryption
of TLS sessions by using a server supporting SSLv2 and EXPORT cipher
suites as a Bleichenbacher RSA padding oracle. Note that traffic
between clients and non-vulnerable servers can be decrypted provided
another server supporting SSLv2 and EXPORT ciphers (even with a
different protocol such as SMTP, IMAP or POP3) shares the RSA keys of
the non-vulnerable server. This vulnerability is known as DROWN.
[CVE-2016-0800]

A double free bug was discovered when OpenSSL parses malformed DSA
private keys and could lead to a DoS attack or memory corruption for
applications that receive DSA private keys from untrusted sources.
This scenario is considered rare. [CVE-2016-0705]

The SRP user database lookup method SRP_VBASE_get_by_user had
confusing memory management semantics; the returned pointer was
sometimes newly allocated, and sometimes owned by the callee. The
calling code has no way of distinguishing these two cases.
[CVE-2016-0798]

In the BN_hex2bn function, the number of hex digits is calculated
using an int value |i|. Later |bn_expand| is called with a value of |i
* 4|. For large values of |i| this can result in |bn_expand| not
allocating any memory because |i * 4| is negative. This can leave the
internal BIGNUM data field as NULL leading to a subsequent NULL
pointer dereference. For very large values of |i|, the calculation |i
* 4| could be a positive value smaller than |i|. In this case memory
is allocated to the internal BIGNUM data field, but it is
insufficiently sized leading to heap corruption. A similar issue
exists in BN_dec2bn. This could have security consequences if
BN_hex2bn/BN_dec2bn is ever called by user applications with very
large untrusted hex/dec data. This is anticipated to be a rare
occurrence. [CVE-2016-0797]

The internal |fmtstr| function used in processing a '%s' formatted
string in the BIO_*printf functions could overflow while calculating
the length of a string and cause an out-of-bounds read when printing
very long strings. [CVE-2016-0799]

A side-channel attack was found which makes use of cache-bank
conflicts on the Intel Sandy-Bridge microarchitecture which could lead
to the recovery of RSA keys. [CVE-2016-0702]

s2_srvr.c did not enforce that clear-key-length is 0 for non-export
ciphers. If clear-key bytes are present for these ciphers, they
displace encrypted-key bytes. [CVE-2016-0703]

s2_srvr.c overwrites the wrong bytes in the master key when applying
Bleichenbacher protection for export cipher suites. [CVE-2016-0704]
Impact : Servers that have SSLv2 protocol enabled are vulnerable to
the 'DROWN' attack which allows a remote attacker to fast attack many
recorded TLS connections made to the server, even when the client did
not make any SSLv2 connections themselves.

An attacker who can supply malformed DSA private keys to OpenSSL
applications may be able to cause memory corruption which would lead
to a Denial of Service condition. [CVE-2016-0705]

An attacker connecting with an invalid username can cause memory leak,
which could eventually lead to a Denial of Service condition.
[CVE-2016-0798]

An attacker who can inject malformed data into an application may be
able to cause memory corruption which would lead to a Denial of
Service condition. [CVE-2016-0797, CVE-2016-0799]

A local attacker who has control of code in a thread running on the
same hyper-threaded core as the victim thread which is performing
decryptions could recover RSA keys. [CVE-2016-0702]

An eavesdropper who can intercept SSLv2 handshake can conduct an
efficient divide-and-conquer key recovery attack and use the server as
an oracle to determine the SSLv2 master-key, using only 16 connections
to the server and negligible computation. [CVE-2016-0703]

An attacker can use the Bleichenbacher oracle, which enables more
efficient variant of the DROWN attack. [CVE-2016-0704]

See also :

http://www.nessus.org/u?bea3c88e

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 92921 ()

Bugtraq ID:

CVE ID: CVE-2016-0702
CVE-2016-0703
CVE-2016-0704
CVE-2016-0705
CVE-2016-0797
CVE-2016-0798
CVE-2016-0799
CVE-2016-0800

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now