SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#104280

Multiple vulnerabilities in SSL/TLS implementations

Overview

Multiple vulnerabilities exist in different vendors' SSL/TLS implementations. The impacts of these vulnerabilities include remote execution of arbitrary code, denial of service, and disclosure of sensitive information.

I. Description

The U.K. National Infrastructure Security Co-ordination Centre (NISCC) has reported multiple vulnerabilities in different vendors' implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. Clients and servers exchange authentication information in X.509 certificates. While the SSL and TLS protocols do not use ASN.1/BER to communicate at the application layer, they do require an ASN.1 parser to encode and decode X.509 certificates and other cryptographic elements (e.g., PKCS#1 encoded RSA values and PKCS#7 encoded S/MIME parts) at the presentation layer.

A test suite developed by NISCC has exposed vulnerabilities in a variety of SSL/TLS implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Note that cryptographic libraries that implement SSL/TLS frequently provide more general-purpose cryptographic utility. In such libraries, it is common for ASN.1 parsing code to be shared between SSL/TLS and other cryptographic functions.

Due to the general lack of specific vulnerability information, this document covers multiple vulnerabilities in different SSL/TLS implementations. Information about individual vendors is available in the Systems Affected section. Note that VU#104280 broadly covers ASN.1 related vulnerabilities in SSL/TLS implementations other than OpenSSL. VU#255484, VU#732952, VU#380864, VU#686224, and VU#935264 are specific to OpenSSL.

Further information is available in NISCC advisory 006489/TLS.

This set of vulnerabilities is different from those described in VU#748355/CA-2002-23.

II. Impact

The impacts associated with these vulnerabilities include execution of arbitrary code, denial of service, and disclosure of sensitive information.

III. Solution

Patch or Upgrade

Apply a patch or upgrade as appropriate. Information about specific vendors is available in the Systems Affected section of this document.

Systems Affected

VendorStatusDate Updated
3ComUnknown30-Sep-2003
AlcatelUnknown30-Sep-2003
ApacheUnknown30-Sep-2003
Apache-SSLUnknown30-Sep-2003
AppGate Network Security ABVulnerable1-Oct-2003
Apple Computer Inc.Vulnerable1-Oct-2003
AT&TUnknown30-Sep-2003
AvayaUnknown30-Sep-2003
BitviseUnknown30-Sep-2003
BorderwareUnknown30-Sep-2003
Check PointVulnerable22-Oct-2003
Cisco Systems Inc.Vulnerable2-Oct-2003
ClavisterNot Vulnerable1-Oct-2003
Computer AssociatesUnknown8-Oct-2003
ConectivaVulnerable2-Oct-2003
CovalentUnknown30-Sep-2003
Cray Inc.Vulnerable1-Oct-2003
cryptlibNot Vulnerable22-Oct-2003
Crypto++Unknown30-Sep-2003
Data GeneralUnknown30-Sep-2003
DebianVulnerable8-Oct-2003
EntrustUnknown30-Sep-2003
Extreme NetworksUnknown30-Sep-2003
F5 NetworksVulnerable1-Oct-2003
Foundry Networks Inc.Unknown30-Sep-2003
FreeBSDVulnerable22-Oct-2003
FujitsuNot Vulnerable8-Oct-2003
Gentoo LinuxVulnerable2-Oct-2003
Global Technology AssociatesUnknown30-Sep-2003
GNU LibgcryptUnknown30-Sep-2003
GNU Privacy GuardUnknown30-Sep-2003
GNU TLSUnknown30-Sep-2003
Guardian Digital Inc. Vulnerable2-Oct-2003
Hewlett-Packard CompanyVulnerable23-Oct-2003
HitachiVulnerable11-Nov-2003
IAIKUnknown27-Oct-2003
IBMVulnerable1-Oct-2003
Ingrian NetworksVulnerable1-Oct-2003
IntelUnknown30-Sep-2003
IntotoUnknown30-Sep-2003
Juniper NetworksVulnerable1-Oct-2003
LinksysUnknown30-Sep-2003
Lotus SoftwareUnknown30-Sep-2003
lshUnknown8-Oct-2003
Lucent TechnologiesUnknown30-Sep-2003
MandrakeSoftVulnerable1-Oct-2003
Microsoft CorporationUnknown30-Sep-2003
mod_sslUnknown30-Sep-2003
MontaVista SoftwareUnknown30-Sep-2003
NEC CorporationNot Vulnerable1-Oct-2003
NeoterisUnknown27-Oct-2003
NetBSDVulnerable22-Oct-2003
Netscape (AOL) NSSUnknown13-Nov-2003
NetScreen Technologies Inc.Unknown30-Sep-2003
Network ApplianceUnknown30-Sep-2003
NokiaUnknown30-Sep-2003
Nortel NetworksVulnerable24-Oct-2003
NovellVulnerable1-Oct-2003
OpenBSDVulnerable22-Oct-2003
OpenSSHNot Vulnerable22-Oct-2003
OpenSSLUnknown22-Oct-2003
Openwall GNU/*/LinuxUnknown1-Oct-2003
Oracle CorporationUnknown2-Oct-2003
Pragma SystemsNot Vulnerable1-Oct-2003
Red Hat Inc.Vulnerable1-Oct-2003
Riverstone NetworksNot Vulnerable1-Oct-2003
RSA SecurityVulnerable22-Oct-2003
SCOVulnerable3-Oct-2003
Secure Computing CorporationVulnerable15-Oct-2003
SequentUnknown30-Sep-2003
SGIVulnerable1-Oct-2003
SlackwareVulnerable2-Oct-2003
Sony CorporationUnknown30-Sep-2003
SSH Communications SecurityVulnerable2-Oct-2003
StonesoftVulnerable1-Oct-2003
StunnelVulnerable1-Oct-2003
Sun Microsystems Inc.Vulnerable24-Oct-2003
SuSE Inc.Vulnerable2-Oct-2003
Symantec CorporationUnknown30-Sep-2003
Tawie Server LinuxVulnerable2-Oct-2003
TurboLinuxVulnerable2-Oct-2003
UnisysUnknown30-Sep-2003
VanDyke Software Inc.Not Vulnerable8-Oct-2003
WatchGuardUnknown30-Sep-2003
Wind River Systems Inc.Unknown30-Sep-2003
WirexVulnerable2-Oct-2003

References


http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
http://wp.netscape.com/eng/ssl3/
http://www.ietf.org/rfc/rfc2246.txt
http://www.itu.int/ITU-T/studygroups/com10/languages/
http://www.rsasecurity.com/rsalabs/pkcs/

Credit

This vulnerability was discovered and researched by NISCC.

This document was written by Art Manion.

Other Information

Date Public09/30/2003
Date First Published09/30/2003 02:57:27 PM
Date Last Updated08/25/2004
CERT AdvisoryCA-2003-26
CVE Name 
US-CERT Technical Alerts 
Metric11.81
Document Revision26

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader