Friday, May 1, 2020

How many cLicks does it take to get the center of a 7.5 CVE Score? 1, 2, 3 - OpenSSL remote denial of service vulnerability

(The text of the links mentioned are included below.)
------------------------------------------------------------------
How many cLicks does it take to get the center of a Tootsie Pop 7.5 CVE Score? 1, 2, 3

3!tootsie pop

In wanting to protect your home lab running FreeBSD, you patch on a regular basis and do not lag to far behind of the latest RELEASE or STABLE versions.  Good!

I highly recommend that you faithfully subscribe (AND make it a PRIORITY to read) the FreeBSD Security mailing list:

https://lists.freebsd.org/mailman/listinfo/freebsd-security

to get updates on patches for security.

You use OpenSSL.   This one comes in.  What is the CVE Score?

https://www.freebsd.org/security/advisories/FreeBSD-SA-20:11.openssl.asc

FreeBSD-SA-20:11.openssl                                    Security Advisory
                                                          The FreeBSD Project

Topic:          OpenSSL remote denial of service vulnerability

Category:       contrib
Module:         openssl
Announced:      2020-04-21
Credits:        Bernd Edlinger
Affects:        FreeBSD 12.1
Corrected:      2020-04-21 15:47:58 UTC (stable/12, 12.1-STABLE)
                2020-04-21 15:53:08 UTC (releng/12.1, 12.1-RELEASE-p4)
CVE Name:       CVE-2020-1967



(And give a big thank you to Bernd Edlinger and the volunteer team who creates the email and patches!)




So, it looks like 12.1-p4 fixes this, so I think.  Try to patch 12.1-p3 up to 12.1-p4 on it but it will not apply.  




` freebsd-update fetch `
` freebsd-update install `


No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
server1:/root # /usr/sbin/freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.1-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 12.1-RELEASE-p4.




It did not really patch the OS.  Let's check and update the packages.


` /usr/sbin/pkg update `
` /usr/sbin/pkg upgrade `






or the ports. (I do not suggest using DISABLE_VULNERABILITIES=yes if you can help it)


` cd /usr/ports/security/openssl `


` make DISABLE_VULNERABILITIES=yes clean deinstall install `






(reboot, just in case since that will really restart the daemons and give the correct version of the OS.)



root@server1: # ` uname -a `
FreeBSD server1.bsdramblings.com 12.1-RELEASE-p3 FreeBSD 12.1-RELEASE-p3 GENERIC  amd64






No OS updates then.  Why? Let's discuss that later.












Ok, How serious is this, it looks bad.  But how bad?  Go to the second link.  What is the CVE Score?




https://www.openssl.org/news/secadv/20200421.txt




OpenSSL Security Advisory [21 April 2020]
=========================================

Segmentation fault in SSL_check_chain (CVE-2020-1967)
=====================================================

Severity: High




Ok, High.  You got my attention.  How high? What is the CVE Score?  Go to the third link.  




https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967






Nope, not very useful, more links.  Going to the Source:  


BINGO!  A CVE Score of 7.5


https://nvd.nist.gov/vuln/detail/CVE-2020-1967




CVSS 3.x Severity and Metrics:















NIST: NVD







Base Score: 7.5 HIGH



Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H







So, why did it not patch?  Did it NOT need 12.1-RELEASE-p4 to fix it?  How about looking at the actual OpenSSL port or package








root@server1: # ` pkg info -x openssl-1.1 `





openssl-1.1.1g,1








Ok, according to what we read, it is fixed in openssl-1.1.1g.  So we are done if all the other servers also run this version.








When was it patched? April 28th on one server and April 22nd on the other.  That is pretty good since the advisory came out on April 21st.













root@server1: # `pkg info openssl | head -12 `












openssl-1.1.1g,1







Name           : openssl





Version        : 1.1.1g,1




Installed on   : Tue Apr 28 14:42:39 2020 CDT



Origin         : security/openssl



Architecture   : FreeBSD:12:amd64



Prefix         : /usr/local



Categories     : security devel



Licenses       : OpenSSL



Maintainer     : brnrd@FreeBSD.org



WWW            : https://www.openssl.org/



Comment        : TLSv1.3 capable SSL and crypto library








root@server2: # `pkg info openssl | head -12 `





openssl-1.1.1g,1



Name           : openssl



Version        : 1.1.1g,1



Installed on   : Wed Apr 22 14:10:19 2020 CDT



Origin         : security/openssl



Architecture   : FreeBSD:12:amd64



Prefix         : /usr/local



Categories     : security devel



Licenses       : OpenSSL



Maintainer     : brnrd@FreeBSD.org



WWW            : https://www.openssl.org/



Comment        : TLSv1.3 capable SSL and crypto library




















So, we are good, then?  Yes.








It did not need to update the FreeBSD base to fix the vulnerability.  It is a little confusing to see FreeBSD 12.1-RELEASE-p4 being part of the solution to fix it.  The pkg/port upgrade fixed it.  If you upgrade to FreeBSD 12.1-RELEASE-p4 then OpenSSL will also be upgraded to the correct version it seems.








fin



------------------------------------------------------------------








(The text of the links mentioned are included below.)



------------------------------------------------------------------













https://bsdsec.net/articles/freebsd-announce-freebsd-security-advisory-freebsd-sa-20-11-openssl













FreeBSD Security Advisory FreeBSD-SA-20:11.openssl




21 April, 2020 by security-advisories@freebsd.org | freebsd







-----BEGIN PGP SIGNED MESSAGE-----



Hash: SHA512







=============================================================================



FreeBSD-SA-20:11.openssl                                    Security Advisory



                                                          The FreeBSD Project







Topic:          OpenSSL remote denial of service vulnerability







Category:       contrib



Module:         openssl



Announced:      2020-04-21



Credits:        Bernd Edlinger



Affects:        FreeBSD 12.1



Corrected:      2020-04-21 15:47:58 UTC (stable/12, 12.1-STABLE)



                2020-04-21 15:53:08 UTC (releng/12.1, 12.1-RELEASE-p4)



CVE Name:       CVE-2020-1967







For general information regarding FreeBSD Security Advisories,



including descriptions of the fields above, security branches, and the



following sections, please visit <URL:https://security.FreeBSD.org/>.







I.   Background







FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is a



collaborative effort to develop a robust, commercial-grade, full-featured



Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets



Layer (SSL) protocols.  It is also a full-strength general purpose



cryptography library.







II.  Problem Description







Server or client applications that call the SSL_check_chain() function during



or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a



result of incorrect handling of the "signature_algorithms_cert" TLS



extension.  The crash occurs if an invalid or unrecognized signature



algorithm is received from the peer.







III. Impact







A malicious peer could exploit the NULL pointer dereference crash, causing a



denial of service attack.







IV.  Workaround







No workaround is available.







V.   Solution







Upgrade your vulnerable system to a supported FreeBSD stable or



release / security branch (releng) dated after the correction date.







Perform one of the following:







1) To update your vulnerable system via a binary patch:







Systems running a RELEASE version of FreeBSD on the i386 or amd64



platforms can be updated via the freebsd-update(8) utility:







# freebsd-update fetch



# freebsd-update install



# shutdown -r +10min "Rebooting for a security update"







2) To update your vulnerable system via a source code patch:







The following patches have been verified to apply to the applicable



FreeBSD release branches.







a) Download the relevant patch from the location below, and verify the



detached PGP signature using your PGP utility.







# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch



# fetch https://security.FreeBSD.org/patches/SA-20:11/openssl.patch.asc



# gpg --verify openssl.patch.asc







b) Apply the patch.  Execute the following commands as root:







# cd /usr/src



# patch < /path/to/patch







c) Recompile the operating system using buildworld and installworld as



described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.







Restart all daemons that use the library, or reboot the system.







VI.  Correction details







The following list contains the correction revision numbers for each



affected branch.







Branch/path                                                      Revision



- -------------------------------------------------------------------------



stable/12/                                                        r360147



releng/12.1/                                                      r360150



- -------------------------------------------------------------------------







To see which files were modified by a particular revision, run the



following command, replacing NNNNNN with the revision number, on a



machine with Subversion installed:







# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base







Or visit the following URL, replacing NNNNNN with the revision number:







<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>







VII. References







<URL:https://www.openssl.org/news/secadv/20200421.txt>







<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967>







The latest revision of this advisory is available at



<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc>



-----BEGIN PGP SIGNATURE-----







iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl6fHLBfFIAAAAAALgAo



aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD



MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n



5cJEGw/7BWgBW3Vi98Sj0OFQnKUyckFaKxOY5WNl+N2k1MC5QIwtFRknS/i4xiBe



wfpudj8PRiYe5sXC7C0vpHBB6LAq9RCflZAu3auRD/r/wShAq1wVY6nC7zJ+nXKX



r7OuUj0NBQK7Gc5k89LEeRI8qjcJv7XwUY63msVvDUzqWwZeVDufrRnSwoUi0LR/



qbya9ICb9qt7o52QNpECccEUVB4Qc1mfdESpDi/7h/JYXvLptsa/W6DtTZRlJ2n/



f/hi2ja7xUD78NlQ6Sbc17+QUFWWIvyljl255Nhi3YhjWpFSWewmJg3aLqQ3O4uB



g632jncGVFtRiDWHvUPqIx0Ephs3Ubd0llBsWXJ4uEQzeqVVVk05oomWDBjUoxW/



Iw7kfVJDBNrrIuNikhOaf3lmUEJ8iXUhg8NxLwoyq6v2SM2eFLqYxx9MLwH5RQkV



nAuWszYSnxkReUE4oGrm7Vn3Mq7yhiM8KpNS08BSADeWRWEJSsdeA5BC2bLIUgE+



UKRDYaTyLSl9knHNmCd9W/8b3w03k2E4lrosc+hiaYoVB9l83e5elQm/tgdBynmL



w653iJIoATgApXXresLW3x/by9+BhCq1fLkipDoaRZTrsg7zaYCyseDmfvmaV6Pn



x8nm+i+VHeB8hp+vurijO9wuaisPs4LNv7pPcler2LmtAGYV3Lg=



=231J



-----END PGP SIGNATURE-----



_______________________________________________



freebsd-announce@freebsd.org mailing list



https://lists.freebsd.org/mailman/listinfo/freebsd-announce



To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"







------------------------------------------------------------------









OpenSSL Security Advisory [21 April 2020]



https://www.openssl.org/news/secadv/20200421.txt







=========================================







Segmentation fault in SSL_check_chain (CVE-2020-1967)



=====================================================







Severity: High







Server or client applications that call the SSL_check_chain() function during or



after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a



result of incorrect handling of the "signature_algorithms_cert" TLS extension.



The crash occurs if an invalid or unrecognised signature algorithm is received



from the peer. This could be exploited by a malicious peer in a Denial of



Service attack.







OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This



issue did not affect OpenSSL versions prior to 1.1.1d.







Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g







This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April



2020. It was found using the new static analysis pass being implemented in GCC,



-fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin



Kaduk.







Note



=====







This issue did not affect OpenSSL 1.0.2 however these versions are out of



support and no longer receiving public updates. Extended support is available



for premium support customers: https://www.openssl.org/support/contracts.html







This issue did not affect OpenSSL 1.1.0 however these versions are out of



support and no longer receiving updates.







Users of these versions should upgrade to OpenSSL 1.1.1.







References



==========







URL for this Security Advisory:



https://www.openssl.org/news/secadv/20200421.txt







Note: the online version of the advisory may be updated with additional details



over time.







For details of OpenSSL severity classifications please see:



https://www.openssl.org/policies/secpolicy.html







------------------------------------------------------------------


















CVE-ID



CVE-2020-1967



Learn more at National Vulnerability Database (NVD)



• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information




Description


Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).


References


Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.






Assigning CNA


OpenSSL Software Foundation


Date Entry Created


20191203Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.


Phase (Legacy)


Assigned (20191203)


Votes (Legacy)




Comments (Legacy)






Proposed (Legacy)


N/A


This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.



   



You can also search by reference using the CVE Reference Maps.




For More Information:  CVE Request Web Form (select “Other” from dropdown)







BACK TO TOP





















------------------------------------------------------------------










































at






















Labels:
,
,
,


















No comments:















Post a Comment























        

      









Subscribe to:
Post Comments (Atom)









Solve your own problems! - rubber duck problem solving



   If you get stuck on an issue, googling the answer is not the only way to solve the problem.   Get yourself a rubber duck, use a cardboard...