OpenSSL 1.0.1 < 1.0.1s / 1.0.2 < 1.0.2g Multiple Vulnerabilities (DROWN)
Medium Nessus Network Monitor Plugin ID 9128
SynopsisThe remote web server is running an outdated instance of OpenSSL and thus may be missing patches for multiple vulnerabilities.
DescriptionVersions of OpenSSL prior to 1.0.1s, or 1.0.2g are unpatched for the following vulnerabilities :
- A flaw exists in the 'SRP_VBASE_get_by_user' method in the SRP Server 'apps/s_server.c' that is triggered when handling invalid usernames. With a specially crafted username, a remote attacker can cause the service to leak 300 bytes of memory per connection, exhausting available memory resources.(OSVDB 134973)
- A flaw exists in the 'doapr_outch()' function in 'crypto/bio/b_print.c' that is triggered when failing to allocate memory, as the function's return value has no way to signal this error to a calling function. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code. (OSVDB 135095)
- An out-of-bounds read flaw exists in the 'fmtstr()' function in 'crypto/bio/b_print.c' that is triggered when printing very long strings. This may allow a context-dependent attacker to crash a process linked against the library or to disclose memory contents. (OSVDB 135096)
- A NULL pointer dereference flaw exists in the 'BN_hex2bn()' and 'BN_dec2bn()' functions in 'crypto/bn/bn_print.c'. This may allow a context-dependent attacker to trigger a heap corruption, potentially allowing the execution of arbitrary code. (OSVDB 135121)
- SSLv2 contains a flaw in its implementation, allowing for a cross-protocol Bleichenbacher padding oracle attack (an adaptive chosen-ciphertext attack). Such an attack may allow a man-in-the-middle attacker to decrypt intercepted TLS connections via a series of specially crafted connections to an SSLv2 server that uses the same private key. The monitored connections required to conduct this attack can use any version of the SSL or TLS protocols, including TLS 1.2, as long as they all use the same RSA key exchange method. With each connection, the server response will vary enough so as to leak information to the attacker about the secret keys in use for the victim TLS connection. This information can in turn be used to eventually decrypt the entire TLS connection and gain access to all plaintext traffic between the victim and server. (OSVDB 135149)
- A double-free flaw exists that is triggered as user-supplied input is not properly validated when parsing malformed DSA private keys. This may allow an attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code. (OSVDB 135150)
- A side-channel attack exists that is triggered during the handling of the cache-bank conflicts on the Intel Sandy-bridge microarchitecture. This may allow an attacker to gain access to RSA key information. (OSVDB 135151)
- A flaw exists in 's2_srvr.c' that is triggered as it does not properly enforce that the 'clear-key-length' is 0 for non-export ciphers. This may allow an attacker to displace encrypted-key bytes if clear-key bytes are present for these ciphers, which can allow the attacker to gain access to SSLv2 master-key information. (OSVDB 135152)
- A flaw exists in 's2_srvr.c' that is triggered when the incorrect bytes in the master-key are overwritten during the application of Bleichenbacher protection mechanisms for export cipher suites. This may allow an attacker to potentially execute more efficient variants of the DROWN attack. (OSVDB 135153)
SolutionOpenSSL versions 1.0.1s and 1.0.2g are patched against these vulnerabilities. Apply the vendors patch, or update to these versions or later.