Oracle Solaris Third-Party Patch Update : openssl (cve_2010_5298_race_conditions)

High Nessus Plugin ID 80720

Synopsis

The remote Solaris system is missing a security patch for third-party software.

Description

The remote Solaris system is missing necessary patches to address security updates :

- Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
(CVE-2010-5298)

- The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. (CVE-2013-4353)

- The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
(CVE-2013-6449)

- The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/ t1_enc.c. (CVE-2013-6450)

- The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. (CVE-2014-0076)

- The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment. (CVE-2014-0195)

- The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition. (CVE-2014-0198)

- The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake. (CVE-2014-0221)

- The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value. (CVE-2014-3470)

Solution

Upgrade to Solaris 11.1.20.5.0.

See Also

http://www.nessus.org/u?4a913f44

http://www.nessus.org/u?fd109a1f

http://www.nessus.org/u?9af5de24

https://blogs.oracle.com/sunsecurity/cve-2014-0195-buffer-errors-vulnerability-in-openssl

https://blogs.oracle.com/sunsecurity/cve-2014-0198-buffer-errors-vulnerability-in-openssl

http://www.nessus.org/u?9ba4f79a

https://blogs.oracle.com/sunsecurity/cve-2014-3470-denial-of-servicedos-vulnerability-in-openssl

http://www.nessus.org/u?5ecff53d

Plugin Details

Severity: High

ID: 80720

File Name: solaris11_openssl_20140623.nasl

Version: 1.2

Type: local

Published: 2015/01/19

Updated: 2018/11/15

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:oracle:solaris:11.1, p-cpe:/a:oracle:solaris:openssl

Required KB Items: Host/local_checks_enabled, Host/Solaris11/release, Host/Solaris11/pkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/06/23

Exploitable With

Core Impact

Reference Information

CVE: CVE-2010-5298, CVE-2013-4353, CVE-2013-6449, CVE-2013-6450, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-3470