SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#484726

OpenSSL does not adequately validate length of Kerberos ticket during SSL/TLS handshake

Overview

OpenSSL contains a vulnerability in code that processes SSL/TLS handshakes when configured to use the Kerberos cipher suites. This vulnerability could allow a remote attacker to cause OpenSSL to crash.

I. Description

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.

According to RFC2712, TLS allows clients and servers to negotiate cipher suites to meet specific security and administrative policies. In order to provide Kerberos-based authentication, TLS supports the Kerberos cipher suites.

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL contain a vulnerability in code that processes SSL/TLS handshakes using Kerberos cipher suites. This vulnerability can be exploited by a remote attacker using a specially crafted SSL/TLS handshake to a server configured to use the Kerberos cipher suites. When the server attempts to process this request, OpenSSL could crash. OpenSSL 0.9.6 is not affected.

Further information is available in an advisory from OpenSSL and NISCC/224012/OpenSSL/2.

II. Impact

A remote, unauthenticated attacker could cause a denial of service in an application that uses OpenSSL with Kerberos cipher suites.

III. Solution

Upgrade or Patch

Upgrade to OpenSSL 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries.

Systems Affected

VendorStatusDate Updated
3ComUnknown18-Mar-2004
AlcatelUnknown18-Mar-2004
ApacheUnknown18-Mar-2004
Apple Computer Inc.Vulnerable6-May-2005
At&TUnknown18-Mar-2004
AvayaUnknown18-Mar-2004
BorderwareUnknown18-Mar-2004
BSDIUnknown18-Mar-2004
CerticomUnknown18-Mar-2004
Check PointUnknown18-Mar-2004
Cisco Systems Inc.Unknown18-Mar-2004
ClavisterUnknown18-Mar-2004
Computer AssociatesUnknown18-Mar-2004
ConectivaUnknown18-Mar-2004
CovalentUnknown18-Mar-2004
COVERT LabsUnknown18-Mar-2004
Cray Inc.Unknown18-Mar-2004
D-Link SystemsUnknown18-Mar-2004
Dan BernsteinUnknown18-Mar-2004
DebianUnknown18-Mar-2004
EMC CorporationUnknown18-Mar-2004
EngardeUnknown18-Mar-2004
eSoftUnknown18-Mar-2004
Extreme NetworksUnknown18-Mar-2004
F-SecureUnknown18-Mar-2004
F5 NetworksUnknown18-Mar-2004
Foundry Networks Inc.Unknown18-Mar-2004
FreeBSDUnknown18-Mar-2004
FreeS/WANUnknown18-Mar-2004
FujitsuUnknown18-Mar-2004
Global Technology AssociatesUnknown18-Mar-2004
Hewlett-Packard CompanyUnknown18-Mar-2004
HitachiUnknown18-Mar-2004
IBMUnknown18-Mar-2004
Ingrian NetworksUnknown18-Mar-2004
IntelUnknown18-Mar-2004
Internet Initiative Japan (IIJ)Unknown18-Mar-2004
Internet Initiative Japan (IIJ)Unknown18-Mar-2004
IntotoUnknown18-Mar-2004
IP FilterUnknown18-Mar-2004
Juniper NetworksUnknown18-Mar-2004
KAME ProjectUnknown18-Mar-2004
LachmanUnknown18-Mar-2004
LinksysUnknown18-Mar-2004
Lotus SoftwareUnknown18-Mar-2004
Lucent TechnologiesUnknown18-Mar-2004
MandrakeSoftUnknown18-Mar-2004
Microsoft CorporationUnknown18-Mar-2004
MontaVista SoftwareUnknown18-Mar-2004
Multi-Tech Systems Inc.Unknown18-Mar-2004
MultinetUnknown18-Mar-2004
NCSAUnknown18-Mar-2004
NEC CorporationUnknown18-Mar-2004
NETBSDUnknown18-Mar-2004
NETfilterUnknown18-Mar-2004
NetScreenUnknown18-Mar-2004
Network ApplianceUnknown18-Mar-2004
NISTUnknown18-Mar-2004
NokiaUnknown18-Mar-2004
Nortel NetworksUnknown18-Mar-2004
NovellUnknown18-Mar-2004
OpenBSDUnknown18-Mar-2004
OpenSSLVulnerable16-Mar-2004
Openwall GNU/*/LinuxUnknown18-Mar-2004
Red Hat Inc.Unknown18-Mar-2004
Redback Networks Inc.Unknown18-Mar-2004
Riverstone NetworksUnknown18-Mar-2004
SafeNetUnknown18-Mar-2004
SCOUnknown18-Mar-2004
Secure Computing CorporationUnknown18-Mar-2004
SecureWorksUnknown18-Mar-2004
SequentUnknown18-Mar-2004
SGIUnknown18-Mar-2004
Sony CorporationUnknown18-Mar-2004
SSH Communications SecurityUnknown18-Mar-2004
StonesoftUnknown18-Mar-2004
Sun Microsystems Inc.Unknown18-Mar-2004
SuSE Inc.Unknown18-Mar-2004
Symantec CorporationUnknown18-Mar-2004
TurboLinuxUnknown18-Mar-2004
UnisysUnknown18-Mar-2004
WatchGuardUnknown18-Mar-2004
Wind River Systems Inc.Unknown18-Mar-2004
WirexUnknown18-Mar-2004
ZyXELUnknown18-Mar-2004

References

http://www.us-cert.gov/cas/techalerts/TA04-078A.html
http://www.openssl.org/news/secadv_20040317.txt
http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-1204.txt
http://www.openssl.org
http://www.ietf.org/rfc/rfc2712.txt

Credit

This vulnerability was discovered by the OpenSSL Project and reported by the National Infrastructure Security Co-ordination Centre (NISCC).

This document was written by Damon Morda.

Other Information

Date Public03/17/2004
Date First Published03/17/2004 09:42:47 AM
Date Last Updated03/26/2004
CERT Advisory 
CVE NameCAN-2004-0112
US-CERT Technical Alerts 
Metric10.32
Document Revision28

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader