This update for compat-openssl098 fixes various security issues and bugs :

Security issues fixed :

  - CVE-2016-0800 aka the 'DROWN' attack (bsc#968046):
    OpenSSL was vulnerable to a cross-protocol attack that     could lead to decryption of TLS sessions by using a     server supporting SSLv2 and EXPORT cipher suites as a     Bleichenbacher RSA padding oracle.

    This update changes the openssl library to :

  - Disable SSLv2 protocol support by default.

    This can be overridden by setting the environment     variable 'OPENSSL_ALLOW_SSL2' or by using     SSL_CTX_clear_options using the SSL_OP_NO_SSLv2 flag.

    Note that various services and clients had already     disabled SSL protocol 2 by default previously.

  - Disable all weak EXPORT ciphers by default. These can be     reenabled if required by old legacy software using the     environment variable 'OPENSSL_ALLOW_EXPORT'.

  - CVE-2016-0797 (bnc#968048): The BN_hex2bn() and     BN_dec2bn() functions had a bug that could result in an     attempt to de-reference a NULL pointer leading to     crashes. This could have security consequences if these     functions were ever called by user applications with     large untrusted hex/decimal data. Also, internal usage     of these functions in OpenSSL uses data from config     files or application command line arguments. If user     developed applications generated config file data based     on untrusted data, then this could have had security     consequences as well.

  - CVE-2016-0799 (bnc#968374) On many 64 bit systems, the     internal fmtstr() and doapr_outch() functions could     miscalculate the length of a string and attempt to     access out-of-bounds memory locations. These problems     could have enabled attacks where large amounts of     untrusted data is passed to the BIO_*printf functions.
    If applications use these functions in this way then     they could have been vulnerable. OpenSSL itself uses     these functions when printing out human-readable dumps     of ASN.1 data. Therefore applications that print this     data could have been vulnerable if the data is from     untrusted sources. OpenSSL command line applications     could also have been vulnerable when they print out     ASN.1 data, or if untrusted data is passed as command     line arguments. Libssl is not considered directly     vulnerable.

  - CVE-2015-3197 (bsc#963415): The SSLv2 protocol did not     block disabled ciphers.

Note that the March 1st 2016 release also references following CVEs that were fixed by us with CVE-2015-0293 in 2015 :

  - CVE-2016-0703 (bsc#968051): This issue only affected     versions of OpenSSL prior to March 19th 2015 at which     time the code was refactored to address vulnerability     CVE-2015-0293. It would have made the above 'DROWN'     attack much easier.

  - CVE-2016-0704 (bsc#968053): 'Bleichenbacher oracle in     SSLv2' This issue only affected versions of OpenSSL     prior to March 19th 2015 at which time the code was     refactored to address vulnerability CVE-2015-0293. It     would have made the above 'DROWN' attack much easier.

Also fixes the following bug :

  - Avoid running OPENSSL_config twice. This avoids breaking     engine loading and also fixes a memory leak in libssl.
    (bsc#952871)

This update was imported from the SUSE:SLE-12:Update update project.

The version of OpenSSL installed on the remote AIX host is affected by the following vulnerabilities :

  - A key disclosure vulnerability exists due to improper     handling of cache-bank conflicts on the Intel     Sandy-bridge microarchitecture. An attacker can exploit     this to gain access to RSA key information.
    (CVE-2016-0702)

  - A double-free error exists due to improper validation of     user-supplied input when parsing malformed DSA private     keys. A remote attacker can exploit this to corrupt     memory, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-0705)

  - A NULL pointer dereference flaw exists in the     BN_hex2bn() and BN_dec2bn() functions. A remote attacker     can exploit this to trigger a heap corruption, resulting     in the execution of arbitrary code. (CVE-2016-0797)

  - A denial of service vulnerability exists due to improper     handling of invalid usernames. A remote attacker can     exploit this, via a specially crafted username, to leak     300 bytes of memory per connection, exhausting available     memory resources. (CVE-2016-0798)

  - Multiple memory corruption issues exist that allow a     remote attacker to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-0799)

  - A flaw exists that allows a cross-protocol     Bleichenbacher padding oracle attack known as DROWN     (Decrypting RSA with Obsolete and Weakened eNcryption).
    This vulnerability exists due to a flaw in the Secure     Sockets Layer Version 2 (SSLv2) implementation, and it     allows captured TLS traffic to be decrypted. A     man-in-the-middle attacker can exploit this to decrypt     the TLS connection by utilizing previously captured     traffic and weak cryptography along with a series of     specially crafted connections to an SSLv2 server that     uses the same private key. (CVE-2016-0800)

  - A denial of service vulnerability exists due to improper     verification of memory allocation by the doapr_outch()     function in file crypto/bio/b_print.c. A remote attacker     can exploit this, via a specially crafted string, to     write data out-of-bounds or exhaust memory resources or     possibly have other unspecified impact. (CVE-2016-2842)

According to its version number, the instance of Splunk hosted on the remote web server is Enterprise 5.0.x prior to 5.0.15, 6.0.x prior to 6.0.11, 6.1.x prior to 6.1.10, 6.2.x prior to 6.2.9, 6.3.x prior to 6.3.3.4, Light 6.2.x prior to 6.2.9, or Light 6.3.x prior to 6.3.3.4.
It is, therefore, affected by the following vulnerabilities :

  - A type confusion error exists in the bundled version of     libxslt in the xsltStylePreCompute() function due to     improper handling of invalid values. A context-dependent     attacker can exploit this, via crafted XML files, to     cause a denial of service condition. (CVE-2015-7995)

  - A key disclosure vulnerability exists in the bundled     version of OpenSSL due to improper handling of     cache-bank conflicts on the Intel Sandy-bridge     microarchitecture. An attacker can exploit this to gain     access to RSA key information. (CVE-2016-0702)

  - A double-free error exists in the bundled version of     OpenSSL due to improper validation of user-supplied     input when parsing malformed DSA private keys. A remote     attacker can exploit this to corrupt memory, resulting     in a denial of service condition or the execution of     arbitrary code. (CVE-2016-0705)

  - A NULL pointer dereference flaw exists in the bundled     version of OpenSSL in the BN_hex2bn() and BN_dec2bn()     functions. A remote attacker can exploit this to trigger     a heap corruption, resulting in the execution of     arbitrary code. (CVE-2016-0797)

  - A denial of service vulnerability exists in the bundled     version of OpenSSL due to improper handling of invalid     usernames. A remote attacker can exploit this, via a     specially crafted username, to leak 300 bytes of memory     per connection, exhausting available memory resources.
    (CVE-2016-0798)

  - Multiple memory corruption issues exist in the bundled     version of OpenSSL that allow a remote attacker to cause     a denial of service condition or the execution of     arbitrary code. (CVE-2016-0799)

  - A flaw exists in the bundled version of OpenSSL that     allows a cross-protocol Bleichenbacher padding oracle     attack known as DROWN (Decrypting RSA with Obsolete and     Weakened eNcryption). This vulnerability exists due to a     flaw in the Secure Sockets Layer Version 2 (SSLv2)     implementation, and it allows captured TLS traffic to be     decrypted. A man-in-the-middle attacker can exploit this     to decrypt the TLS connection by utilizing previously     captured traffic and weak cryptography along with a     series of specially crafted connections to an SSLv2     server that uses the same private key. (CVE-2016-0800)

  - A flaw exists due to improper handling of specially     crafted HTTP requests that contain specific headers. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - A flaw exists due to improper handling of malformed HTTP     requests. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.

  - A flaw exists that is triggered when directly accessing     objects. An authenticated, remote attacker can exploit     this to disclose search logs.

  - A flaw exists due to the failure to honor the     sslVersions keyword for TLS protocol versions,     preventing users from enforcing TLS policies.

  - A path traversal vulnerability exists in the 'collect'     command due to improper sanitization of user-supplied     input. An authenticated, remote attacker can exploit     this, via a specially crafted request, to execute     arbitrary code arbitrary code with the privileges of the     user running the splunkd process.

  - A path traversal vulnerability exists in the 'inputcsv'     and 'outputcsv' commands due to improper sanitization of     user-supplied input. An authenticated, remote attacker     can exploit this, via a specially crafted request, to     can access or overwrite file paths.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN.
[CVE-2016-0800]

A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources.
This scenario is considered rare. [CVE-2016-0705]

The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases.
[CVE-2016-0798]

In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i
* 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i
* 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797]

The internal |fmtstr| function used in processing a '%s' formatted string in the BIO_*printf functions could overflow while calculating the length of a string and cause an out-of-bounds read when printing very long strings. [CVE-2016-0799]

A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. [CVE-2016-0702]

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. [CVE-2016-0703]

s2_srvr.c overwrites the wrong bytes in the master key when applying Bleichenbacher protection for export cipher suites. [CVE-2016-0704] Impact : Servers that have SSLv2 protocol enabled are vulnerable to the 'DROWN' attack which allows a remote attacker to fast attack many recorded TLS connections made to the server, even when the client did not make any SSLv2 connections themselves.

An attacker who can supply malformed DSA private keys to OpenSSL applications may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0705]

An attacker connecting with an invalid username can cause memory leak, which could eventually lead to a Denial of Service condition.
[CVE-2016-0798]

An attacker who can inject malformed data into an application may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0797, CVE-2016-0799]

A local attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions could recover RSA keys. [CVE-2016-0702]

An eavesdropper who can intercept SSLv2 handshake can conduct an efficient divide-and-conquer key recovery attack and use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. [CVE-2016-0703]

An attacker can use the Bleichenbacher oracle, which enables more efficient variant of the DROWN attack. [CVE-2016-0704]

The version of Juniper ScreenOS running on the remote host is 6.3.x prior to 6.3.0r23. It is, therefore, affected by multiple vulnerabilities in its bundled version of OpenSSL :

  - A flaw exists in the SSLv2 implementation,     specifically in the get_client_master_key() function     within file s2_srvr.c, due to accepting a nonzero     CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an     arbitrary cipher. A man-in-the-middle attacker can     exploit this to determine the MASTER-KEY value and     decrypt TLS ciphertext by leveraging a Bleichenbacher     RSA padding oracle. (CVE-2016-0703)

  - A flaw exists in the SSLv2 oracle protection mechanism,     specifically in the get_client_master_key() function     within file s2_srvr.c, due to incorrectly overwriting     MASTER-KEY bytes during use of export cipher suites.
    A remote attackers can exploit this to more easily     decrypt TLS ciphertext by leveraging a Bleichenbacher     RSA padding oracle. (CVE-2016-0704)

  - A NULL pointer dereference flaw exists in the     BN_hex2bn() and BN_dec2bn() functions. A remote attacker     can exploit this to trigger a heap corruption, resulting     in the execution of arbitrary code. (CVE-2016-0797)

  - A flaw exists that allows a cross-protocol     Bleichenbacher padding oracle attack known as DROWN     (Decrypting RSA with Obsolete and Weakened eNcryption).
    This vulnerability exists due to a flaw in the Secure     Sockets Layer Version 2 (SSLv2) implementation, and it     allows captured TLS traffic to be decrypted. A     man-in-the-middle attacker can exploit this to decrypt     the TSL connection by utilizing previously captured     traffic and weak cryptography along with a series of     specially crafted connections to an SSLv2 server that     uses the same private key. (CVE-2016-0800)

  - A heap buffer overflow condition exists in the     EVP_EncodeUpdate() function within file     crypto/evp/encode.c that is triggered when handling     a large amount of input data. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2016-2105)

  - A heap buffer overflow condition exists in the     EVP_EncryptUpdate() function within file     crypto/evp/evp_enc.c that is triggered when handling a     large amount of input data after a previous call occurs     to the same function with a partial block. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-2106)

  - A remote code execution vulnerability exists in the     ASN.1 encoder due to an underflow condition that occurs     when attempting to encode the value zero represented as     a negative integer. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in the     execution of arbitrary code. (CVE-2016-2108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the openssl098e package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The BN_bn2dec function in crypto/bn/bn_print.c in     OpenSSL before 1.1.0 does not properly validate     division results, which allows remote attackers to     cause a denial of service (out-of-bounds write and     application crash) or possibly have unspecified other     impact via unknown vectors.(CVE-2016-2182)

  - A denial of service flaw was found in the way the     TLS/SSL protocol defined processing of ALERT packets     during a connection handshake. A remote attacker could     use this flaw to make a TLS/SSL server consume an     excessive amount of CPU and fail to accept connections     form other clients.(CVE-2016-8610)

  - A flaw was found in the way malicious SSLv2 clients     could negotiate SSLv2 ciphers that were disabled on the     server. This could result in weak SSLv2 ciphers being     used for SSLv2 connections, making them vulnerable to     man-in-the-middle attacks.(CVE-2015-3197)

  - A padding oracle flaw was found in the Secure Sockets     Layer version 2.0 (SSLv2) protocol. An attacker could     potentially use this flaw to decrypt RSA-encrypted     cipher text from a connection using a newer SSL/TLS     protocol version, allowing them to decrypt such     connections. This cross-protocol attack is publicly     referred to as DROWN.(CVE-2016-0800)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
89910	openSUSE Security Update : openssl (openSUSE-2016-327) (DROWN)	Nessus	SuSE Local Security Checks	3/14/2016	1/19/2021	critical
90448	AIX OpenSSL Advisory : openssl_advisory18.asc / openssl_advisory19.asc (DROWN)	Nessus	AIX Local Security Checks	4/13/2016	4/21/2023	critical
90705	Splunk Enterprise < 5.0.15 / 6.0.11 / 6.1.10 / 6.2.9 / 6.3.3.4 or Splunk Light < 6.2.9 / 6.3.3.4 Multiple Vulnerabilities (DROWN)	Nessus	CGI abuses	4/25/2016	11/20/2019	critical
92921	FreeBSD : FreeBSD -- Multiple OpenSSL vulnerabilities (7b1a4a27-600a-11e6-a6c3-14dae9d210b8) (DROWN)	Nessus	FreeBSD Local Security Checks	8/12/2016	1/28/2026	critical
94679	Juniper ScreenOS 6.3.x < 6.3.0r23 Multiple Vulnerabilities in OpenSSL (JSA10759) (DROWN)	Nessus	Firewalls	11/10/2016	1/19/2026	critical
99885	EulerOS 2.0 SP1 : openssl098e (EulerOS-SA-2017-1040)	Nessus	Huawei Local Security Checks	5/1/2017	12/22/2025	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical