IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Advisory 02-006

OpenSSL Vulnerability
August 01, 2002

The National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten the awareness of multiple buffer overflows in OpenSSL (Open Secure Sockets Layer) version 0.9.6d or earlier and 0.97-beta2 or earlier. OpenSSL is a widely deployed, open source implementation of the SSL and Transport Layer Security (TLS) protocols. The SSL and TLS protocols are used to provide a secure connection between a client and a server for higher level protocols. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code on a vulnerable server or client system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the identified vulnerabilities:

(CAN-2002-0655) OpenSSL versions 0.9.6d and earlier, and 0.9.7-beta2, experience several buffer overflow vulnerabilities if running on 64-bit platforms.

(CAN-2002-0656)
The session ID supplied to a client in SSLv3 could result in a buffer overflow.

(CAN-2002-0656)
A malformed key from an OpenSSL client to an OpenSSL-enabled server, during the handshake, may result in an exploitable buffer overflow.

(CAN-2002-0657). Kerberos-enabled OpenSSL 0.9.7-beta2 servers have a buffer overflow on the stack that may allow a remote attacker to execute arbitrary code. Description:

OpenSSL is a software package that uses strong cryptography in authentication systems, mail servers, and web servers. Affected versions of OpenSSL include 0.9.6d or earlier and 0.9.7-beta2 or earlier. While there have been no reported victims, the NIPC is issuing this advisory to emphasize the significance of these vulnerabilities. System administrators should be aware that attackers could exploit these vulnerabilities to gain remote access which could provide the attacker with the ability to take any action desired, such as installing malicious code, running programs, reconfiguring, adding, changing, or deleting files. Additional information may be found at the following sites:

OpenSSL Security Advisory
http://www.openssl.org/news/secadv_20020730.txt

CERT Advisory CA-2002-23
http://www.cert.org/advisories/CA-2002-23.html

Red Hat
http://rhn.redhat.com/errata/RHSA-2002-155.html

Recommendation:

The NIPC strongly urges the community to take recommended actions to either apply patches from their vendors or consider upgrading to version OpenSSL 0.9.6e, which according to the OpenSSL Project team contains fixes for all the vulnerabilities reported on earlier.

The NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office ( http://www.fbi.gov/contact/fo/fo.htm ) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm . The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov .