CVE-2003-0544
CVSS5.0
发布时间 :2003-11-17 00:00:00
修订时间 :2011-03-07 21:12:45
NMCOP    

[原文]OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.


[CNNVD]OpenSSL ASN.1多个解析安全漏洞(CNNVD-200311-040)

        
        OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
        OpenSSL中的ASN.1解析代码存在多个问题,远程攻击者可以利用这个漏洞对系统进行拒绝服务攻击或执行任意代码。
        漏洞问题如下:
        1、部分ASN.1编码被解析器会由于非法而拒绝,当处理对应的数据结构时会触发错误而破坏堆栈,这可用于远程拒绝服务。目前还不清楚是否可用于执行任意代码。此漏洞不影响OpenSSL 0.9.6版本。
        2、不正确ASN.1标记值可在部分条件下引起读取非法边界值(整数溢出问题),可导致拒绝服务漏洞。
        3、如果设置成忽略公钥解码错误,证书中包含畸形公钥会引起服务崩溃。公钥解码错误一般不忽略(除非在调试情况下)。目前还不清楚是否可利用执行任意代码。
        4、由于在SSL/TLS协议处理上存在错误,当没有指定请求时服务器也会解析客户端证书。这严格的来说不是一个漏洞,但是这意味着使用OpenSSL的SSL/TLS服务器可使用漏洞1,2,3进行攻击,即使没有启用客户端验证的情况下。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:openssl:openssl:0.9.6OpenSSL Project OpenSSL 0.9.6
cpe:/a:openssl:openssl:0.9.7OpenSSL Project OpenSSL 0.9.7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4574OpenSSL ASN.1 Inputs Character Tracking Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0544
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0544
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-040
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/380864
(UNKNOWN)  CERT-VN  VU#380864
http://www.cert.org/advisories/CA-2003-26.html
(UNKNOWN)  CERT  CA-2003-26
http://www.redhat.com/support/errata/RHSA-2003-292.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:292
http://www.redhat.com/support/errata/RHSA-2003-291.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:291
http://www.vupen.com/english/advisories/2006/3900
(UNKNOWN)  VUPEN  ADV-2006-3900
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
(UNKNOWN)  MISC  http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
http://www.linuxsecurity.com/advisories/engarde_advisory-3693.html
(UNKNOWN)  ENGARDE  ESA-20030930-027
http://www.debian.org/security/2003/dsa-394
(UNKNOWN)  DEBIAN  DSA-394
http://www.debian.org/security/2003/dsa-393
(UNKNOWN)  DEBIAN  DSA-393
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201029-1
(UNKNOWN)  SUNALERT  201029
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893
(UNKNOWN)  CONFIRM  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893
http://xforce.iss.net/xforce/xfdb/43041
(UNKNOWN)  XF  openssl-asn1-sslclient-dos(43041)
http://www.securityfocus.com/bid/8732
(UNKNOWN)  BID  8732
http://www-1.ibm.com/support/docview.wss?uid=swg21247112
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=swg21247112
http://secunia.com/advisories/22249
(UNKNOWN)  SECUNIA  22249

- 漏洞信息

OpenSSL ASN.1多个解析安全漏洞
中危 未知
2003-11-17 00:00:00 2010-01-28 00:00:00
远程  
        
        OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
        OpenSSL中的ASN.1解析代码存在多个问题,远程攻击者可以利用这个漏洞对系统进行拒绝服务攻击或执行任意代码。
        漏洞问题如下:
        1、部分ASN.1编码被解析器会由于非法而拒绝,当处理对应的数据结构时会触发错误而破坏堆栈,这可用于远程拒绝服务。目前还不清楚是否可用于执行任意代码。此漏洞不影响OpenSSL 0.9.6版本。
        2、不正确ASN.1标记值可在部分条件下引起读取非法边界值(整数溢出问题),可导致拒绝服务漏洞。
        3、如果设置成忽略公钥解码错误,证书中包含畸形公钥会引起服务崩溃。公钥解码错误一般不忽略(除非在调试情况下)。目前还不清楚是否可利用执行任意代码。
        4、由于在SSL/TLS协议处理上存在错误,当没有指定请求时服务器也会解析客户端证书。这严格的来说不是一个漏洞,但是这意味着使用OpenSSL的SSL/TLS服务器可使用漏洞1,2,3进行攻击,即使没有启用客户端验证的情况下。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-394-1)以及相应补丁:
        DSA-394-1:New openssl095 packages fix denial of service
        链接:
        http://www.debian.org/security/2002/dsa-394

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.3.dsc

        Size/MD5 checksum: 631 ba6e597ab2db2984aef6c2a765ac29c0
        
        http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.3.diff.gz

        Size/MD5 checksum: 38851 6b197111a7068a7ea29ef55176771d89
        
        http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz

        Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_alpha.deb

        Size/MD5 checksum: 497152 fe3d6854382f8dbe2d10f3f5700dd8f6
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_arm.deb

        Size/MD5 checksum: 402498 551b79fbb80903f174d6edeffd9869df
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_i386.deb

        Size/MD5 checksum: 399752 2a856ac6b45d41beb0bf78880b236966
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_m68k.deb

        Size/MD5 checksum: 376738 980e428e9b913672d939ebe77c18cd6d
        Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_mips.deb

        Size/MD5 checksum: 412624 b8c7cc0b4dcbf1cf03480b93c78cd610
        Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_mipsel.deb

        Size/MD5 checksum: 407388 de02385580cf33c344c1ffadcf8aed88
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_powerpc.deb

        Size/MD5 checksum: 425452 c3d04af89c64e6e9f0175e6cd4997058
        Sun Sparc architecture:
        
        http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.3_sparc.deb

        Size/MD5 checksum: 412196 ae1181c2873a304c583800459da53e5a
        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade
        HP
        --
        
        http://www.debian.org/security/2003/dsa-394

        MandrakeSoft
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        MandrakeSoft Corporate Server 2.1 x86_64:
        Mandrake Upgrade libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.6.90mdk.x86_64.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1/x86_64 FTP Folder: x86_64/corporate/2.1/RPMS/
        MandrakeSoft Corporate Server 2.1:
        Mandrake Upgrade libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Corporate Server 2.1 FTP Folder: corporate/2.1/RPMS/
        MandrakeSoft Multi Network Firewall 8.2:
        Mandrake Upgrade libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Multi Network Firewall 8.2 FTP Folder: mnf8.2/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Multi Network Firewall 8.2 FTP Folder: mnf8.2/RPMS/
        MandrakeSoft Linux Mandrake 8.2:
        Mandrake Upgrade libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        Mandrake Upgrade openssl-0.9.6i-1.5.82mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 8.2 FTP Folder: 8.2/RPMS/
        MandrakeSoft Linux Mandrake 9.0:
        Mandrake Upgrade libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 9.0 FTP Folder: 9.0/RPMS/
        Mandrake Upgrade libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
        
        http://www.mandrakesecure.net/en/ftp.php

        Mandrake Linux 9.0 FTP Folder: 9.0/RPMS/
        Mandrake Upgrade openssl-0

- 漏洞信息 (F32590)

sslexp.c (PacketStormID:F32590)
2004-01-30 00:00:00
Bram Matthys  
exploit
CVE-2003-0545,CVE-2003-0543,CVE-2003-0544
[点击下载]

Brute forcer for OpenSSL ASN.1 parsing bugs that affects versions 0.9.6j and below and 0.9.7b and below.

- 漏洞信息 (F31738)

secadv_20030930.txt (PacketStormID:F31738)
2003-09-30 00:00:00
 
advisory,denial of service,arbitrary,vulnerability,code execution
CVE-2003-0545,CVE-2003-0543,CVE-2003-0544
[点击下载]

Three vulnerabilities lie in the ASN.1 parsing for OpenSSL versions up to 0.9.6j and 0.9.7b and all versions of SSLeay. All of the vulnerabilities result in a denial of service and there is still speculation as to whether possible arbitrary code execution is possible.

-----BEGIN PGP SIGNED MESSAGE-----

OpenSSL Security Advisory [30 September 2003]

Vulnerabilities in ASN.1 parsing
================================

NISCC (www.niscc.gov.uk) prepared a test suite to check the operation
of SSL/TLS software when presented with a wide range of malformed client
certificates.

Dr Stephen Henson (steve@openssl.org) of the OpenSSL core team
identified and prepared fixes for a number of vulnerabilities in the
OpenSSL ASN1 code when running the test suite.

A bug in OpenSSLs SSL/TLS protocol was also identified which causes
OpenSSL to parse a client certificate from an SSL/TLS client when it
should reject it as a protocol error.

Vulnerabilities
- ---------------

1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.

3. A malformed public key in a certificate will crash the verify code if
it is set to ignore public key decoding errors. Public key decode errors
are not normally ignored, except for debugging purposes, so this is
unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server will parse
a client certificate when one is not specifically requested. This by
itself is not strictly speaking a vulnerability but it does mean that
*all* SSL/TLS servers that use OpenSSL can be attacked using
vulnerabilities 1, 2 and 3 even if they don't enable client authentication.

Who is affected?
- ----------------

All versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all
versions of SSLeay are affected.

Any application that makes use of OpenSSL's ASN1 library to parse
untrusted data. This includes all SSL or TLS applications, those using
S/MIME (PKCS#7) or certificate generation routines.

Recommendations
- ---------------

Upgrade to OpenSSL 0.9.7c or 0.9.6k. Recompile any OpenSSL applications
statically linked to OpenSSL libraries.

References
- ----------

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0545 for issue 1:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545

and CAN-2003-0543 and CAN-2003-0544 for issue 2:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20030930.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQCVAwUBP3mNKu6tTP1JpWPZAQFjPwP/Y8epYBa9oCK69dCT5Y90kg9Ir8pYuv+q
x4NxuyhD5JaJfmStwbl3BUSE5juI0mh7d6yFjfI0Ci3sdC+5v10ZOanGwX7o4JlS
3pGSSocAEiYS59qciRLtFsCbBt8jIOCG8KiTmKO2mI5dhAEB9UqPH9e8A1Wy/8un
xjGKYbcITrM=
=fFTe
-----END PGP SIGNATURE-----

    

- 漏洞信息

3686
OpenSSL ASN.1 Client Certificate Remote Overflow DoS
Local Access Required, Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Vendor Verified

- 漏洞描述

A remote overflow exists in OpenSSL. OpenSSL fails to correctly parse ASN.1 tags in OpenSSL client certificates, resulting in a buffer overflow. With a specially crafted request, an attacker can cause denial of service in OpenSSL or an application using it, resulting in a loss of availability.

- 时间线

2003-07-14 Unknow
2003-09-30 Unknow

- 解决方案

Upgrade to version 0.9.7c or 0.9.6k or higher, as it has been reported to fix this vulnerability, and recompile any OpenSSL applications statically linked to OpenSSL libraries. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站