Re: TLS/SSL revisited slightly...

[Eric Rescorla <ekr () rtfm com>]

Paul Robertson <proberts () patriot net> writes:
> Rather than reposting the Openssl-announce alert, I'll just 
> excerpt and summarize briefly- several remotely exploitable bugs have been 
> discovered in OpenSSL:
>  
> > All four of these are potentially remotely exploitable.
> >
> > 1. The client master key in SSL2 could be oversized and overrun a
> >    buffer. This vulnerability was also independently discovered by
> >    consultants at Neohapsis (http://www.neohapsis.com/) who have also
> >    demonstrated that the vulerability is exploitable. Exploit code is
> >    NOT available at this time.
> >
> > 2. The session ID supplied to a client in SSL3 could be oversized and
> >    overrun a buffer.
> >
> > 3. The master key supplied to an SSL3 server could be oversized and
> >    overrun a stack-based buffer. This issues only affects OpenSSL
> >    0.9.7 before 0.9.7-beta3 with Kerberos enabled.
> >
> > 4. Various buffers for ASCII representations of integers were too
> >    small on 64 bit platforms.
>  
> Obviously, TLS systems are potentially more at risk than HTTPS since TLS 
> acts like a client (bugs #1 and #2 for sure, #3 if Kerberos support is on.)
I'm afraid this is layer confusion:

TLS [RFF 2246] is simply the IETF standard version of SSLv3. Most modern
SSLv3 implementations support TLS as well.

HTTPS is HTTP over SSL or TLS [RFC 2818]. Consequently, it doesn't
make much sense to compare TLS systems to HTTPS systems.

That said:
Bugs 1 and 3 are server vulnerabilities, not client vulnerabilities
since they apply when the client sends bogus data to the server to get
it to overflow. (the client master key and client key exchange
are generated by the client and processed by the server.)

Bug 2 is indeed a problem for clients.

But 4 is probably a problem for both, depending on the exact
circumstances in which integers are being parsed.

> I expect that #4 will probably cause more issues with Apache on Solaris 
> than anything else assuming that it isn't a client-side only issue as 
> well.  Once again, this underscores the point that adding large ammounts 
> of code (and additional protocols) can increase exposure to exploitable 
> bugs.  
>
> Patches are available on www.openssl.org.
>  
> I sense a lot of browser updating in my immediate future...
None of this is really that relevant to browsers, since
neither IE nor Mozilla uses OpenSSL, but instead use their
own private things. IE uses SChannel/CAPI and Mozilla uses NSS.

-Ekr


-- 
[Eric Rescorla                                   ekr () rtfm com]
                http://www.rtfm.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards