Bug 19446 - openssl new security issues CVE-2016-217[7-9], CVE-2016-218[0-3], CVE-2016-630[2-4,6]
Summary: openssl new security issues CVE-2016-217[7-9], CVE-2016-218[0-3], CVE-2016-63...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/701627/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK
Keywords: validated_update
: 18661 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-09-23 03:20 CEST by David Walser
Modified: 2017-01-31 12:08 CET (History)
3 users (show)

See Also:
Source RPM: openssl-1.0.2h-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-09-23 03:20:58 CEST
Upstream has issued an advisory today (September 22):
https://www.openssl.org/news/secadv/20160922.txt

The issues are fixed upstream in 1.0.2i.

Debian has issued an advisory for this today:
https://www.debian.org/security/2016/dsa-3673
Comment 1 David Walser 2016-09-23 21:53:19 CEST
Updated packages uploaded for Mageia 5 and Cauldron.

Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Openssl

Advisory:
========================

Updated openssl packages fix security vulnerabilities:

Guido Vranken discovered that OpenSSL uses undefined pointer arithmetic
(CVE-2016-2177).

Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing leak in the
DSA code (CVE-2016-2178).

Quan Luo and the OCAP audit team discovered denial of service vulnerabilities
in DTLS (CVE-2016-2179, CVE-2016-2181).

Shi Lei discovered an out-of-bounds memory read in TS_OBJ_print_bio() and an
out-of-bounds write in BN_bn2dec() and MDC2_Update() (CVE-2016-2180,
CVE-2016-2182, CVE-2016-6303).

DES-based cipher suites are demoted from the HIGH group to MEDIUM as a
mitigation for the SWEET32 attack (CVE-2016-2183).

Shi Lei discovered that the use of SHA512 in TLS session tickets is
susceptible to denial of service (CVE-2016-6302).

Shi Lei discovered that excessively large OCSP status request may result in
denial of service via memory exhaustion (CVE-2016-6304).

Shi Lei discovered that missing message length validation when parsing
certificates may potentially result in denial of service (CVE-2016-6306).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/
https://www.debian.org/security/2016/dsa-3673
========================

Updated packages in core/updates_testing:
========================
openssl-1.0.2i-1.mga5
libopenssl-engines1.0.0-1.0.2i-1.mga5
libopenssl1.0.0-1.0.2i-1.mga5
libopenssl-devel-1.0.2i-1.mga5
libopenssl-static-devel-1.0.2i-1.mga5

from openssl-1.0.2i-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-09-23 21:54:06 CEST
*** Bug 18661 has been marked as a duplicate of this bug. ***
Comment 3 David Walser 2016-09-26 20:41:41 CEST
There was a regression in 1.0.2i, fixed in 1.0.2j:
https://www.openssl.org/news/secadv/20160926.txt

Updated packages in core/updates_testing:
========================
openssl-1.0.2j-1.mga5
libopenssl-engines1.0.0-1.0.2j-1.mga5
libopenssl1.0.0-1.0.2j-1.mga5
libopenssl-devel-1.0.2j-1.mga5
libopenssl-static-devel-1.0.2j-1.mga5

from openssl-1.0.2j-1.mga5.src.rpm
Comment 4 Lewis Smith 2016-09-30 21:49:38 CEST
Testing M5-64

# urpmi apache-mod_ssl
# systemctl restart httpd.service
 apache-mod_ssl-2.4.10-16.4.mga5
 lib64openssl1.0.0-1.0.2j-1.mga5
 lib64openssl-devel-1.0.2j-1.mga5
 lib64openssl-engines1.0.0-1.0.2j-1.mga5
 openssl-1.0.2j-1.mga5

Used the procedure https://wiki.mageia.org/en/QA_procedure:Openssl
cross-referenced to https://bugs.mageia.org/show_bug.cgi?id=18341#c9

# openssl version -a
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
 etc etc
engines:  dynamic 

# openssl ciphers -v
outputs

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2016-09-30 22:12:38 CEST
[continued]
... a *long* list.

 # openssl ciphers -v -tls1
 # openssl ciphers -v 'HIGH'
 # openssl ciphers -v 'AES+HIGH'
all output long lists.

 # openssl speed
Doing mdc2 for 3s on 16 size blocks: 1523544 mdc2's in 3.00s
Doing mdc2 for 3s on 64 size blocks: 407943 mdc2's in 3.00s
Doing mdc2 for 3s on 256 size blocks: 103829 mdc2's in 2.99s
Doing mdc2 for 3s on 1024 size blocks: 26024 mdc2's in 3.00s
Doing mdc2 for 3s on 8192 size blocks: 3261 mdc2's in 3.00s
 etc etc to
 163 bit ecdh (nistb163)   0.0020s    508.3
 233 bit ecdh (nistb233)   0.0027s    366.3
 283 bit ecdh (nistb283)   0.0063s    159.4
 409 bit ecdh (nistb409)   0.0142s     70.6
 571 bit ecdh (nistb571)   0.0311s     32.1
outputs a large amount of results, and takes forever.

 # openssl speed rsa -multi 2
Forked child 0
Forked child 1
+DTP:512:private:rsa:10
+DTP:512:private:rsa:10
 etc etc to
rsa  512 bits 0.000225s 0.000018s   4449.4  54887.2
rsa 1024 bits 0.000927s 0.000040s   1078.7  24961.2
rsa 2048 bits 0.005252s 0.000147s    190.4   6805.6
rsa 4096 bits 0.036209s 0.000545s     27.6   1834.9

[Start the server]
 # openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www
Using default temp DH parameters
ACCEPT
140121275352720:error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:
ACCEPT

? Is the error acceptable?

From a different terminal...
[as per the cross-referenced tests]
 # openssl s_time -connect localhost:443
No CIPHER specified
Collecting connection statistics for 30 seconds
********************************************************************************
 et seq to
2488 connections in 4.95s; 502.63 connections/user sec, bytes read 0
2488 connections in 31 real seconds, 0 bytes read per connection

Now timing with session id reuse.
starting
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 et seq to
10966 connections in 5.61s; 1954.72 connections/user sec, bytes read 0
10966 connections in 31 real seconds, 0 bytes read per connection

[as per the Wiki procedure]
 # openssl s_time -connect localhost:4433 -www / -new -ssl3
No CIPHER specified
Collecting connection statistics for 30 seconds
ERROR
140352903718544:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40

[Same error using port number 443]

Does this failure matter?

This is mostly OK, but I would prefer feedback on the two errors noted before OK'ing it. Other x64 testers can concentrate on those 2 issues.
Comment 6 David Walser 2016-09-30 22:14:35 CEST
The insecure SSLv3 protocol has been disabled, you shouldn't be using that.
Comment 7 Lewis Smith 2016-10-10 20:57:17 CEST
(In reply to David Walser from comment #6)
> The insecure SSLv3 protocol has been disabled, you shouldn't be using that.
David: I did not do so consciously. It is true that both errors were ssl3 related. Can you advise what fiddling I can do to re-do the error tests without it? TIA
Comment 8 David Walser 2016-10-11 00:26:41 CEST
Look at the command you executed.  You specifically requested SSLv3.
Comment 9 William Kenney 2016-10-11 19:25:28 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
openssl apache-mod_ssl

default install of openssl

Start ssl server:
[root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www
Using default temp DH parameters
ACCEPT
server starts

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.2h-1.mga5.i586 is already installed
Marking openssl as manually installed, it won't be auto-orphaned
writing /var/lib/rpm/installed-through-deps.list
[root@localhost wilcal]# urpmi apache-mod_ssl
Package apache-mod_ssl-2.4.10-16.4.mga5.i586 is already installed

[root@localhost wilcal]# openssl version -a
OpenSSL 1.0.2h  3 May 2016
built on: reproducible build, date unspecified
platform: linux-elf
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx)......

[root@localhost wilcal]# openssl ciphers -v
[root@localhost wilcal]# openssl ciphers -v -tls1
[root@localhost wilcal]# openssl ciphers -v 'HIGH'
[root@localhost wilcal]# openssl ciphers -v 'AES+HIGH'
[root@localhost wilcal]# openssl speed
all work

From another system on the LAN in a terminal:
[root@localhost wilcal]# openssl s_time -connect 192.168.1.143:443
No CIPHER specified
Collecting connection statistics for 30 seconds
*************************************************......***********************
3263 connections in 1.45s; 2250.34 connections/user sec, bytes read 0
3263 connections in 31 real seconds, 0 bytes read per connection

From another system on the LAN, test system is at 192.168.143:
[wilcal@localhost ~]$ openssl s_client -connect 192.168.1.143:443
CONNECTED(00000003)
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify return:1
---
Certificate chain...........
Negotiates certs and keys.

install openssl from updates_testing

Start ssl server:
[root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www
Using default temp DH parameters
ACCEPT
server starts

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.2j-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_ssl
Package apache-mod_ssl-2.4.10-16.4.mga5.i586 is already installed

[root@localhost wilcal]# openssl version -a
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
platform: linux-elf
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx).......

[root@localhost wilcal]# openssl ciphers -v
[root@localhost wilcal]# openssl ciphers -v -tls1
[root@localhost wilcal]# openssl ciphers -v 'HIGH'
[root@localhost wilcal]# openssl ciphers -v 'AES+HIGH'
[root@localhost wilcal]# openssl speed
all work

From another system on the LAN in a terminal:
[root@localhost wilcal]# openssl s_time -connect 192.168.1.143:443
No CIPHER specified
Collecting connection statistics for 30 seconds
****************************************************........******************

3275 connections in 1.37s; 2390.51 connections/user sec, bytes read 0
3275 connections in 31 real seconds, 0 bytes read per connection

From another system on the LAN, test system is at 192.168.143:
[wilcal@localhost ~]$ openssl s_client -connect 192.168.1.143:443
CONNECTED(00000003)
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
---
Certificate chain.........
Negotiates certs and keys.

CC: (none) => wilcal.int

Comment 10 William Kenney 2016-10-11 20:12:10 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
openssl apache-mod_ssl

default install of openssl

Start ssl server:
[root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www
Using default temp DH parameters
ACCEPT
server starts

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.2h-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi apache-mod_ssl
Package apache-mod_ssl-2.4.10-16.4.mga5.x86_64 is already installed

[[root@localhost wilcal]# openssl version -a
OpenSSL 1.0.2h  3 May 2016
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)......

[root@localhost wilcal]# openssl ciphers -v
[root@localhost wilcal]# openssl ciphers -v -tls1
[root@localhost wilcal]# openssl ciphers -v 'HIGH'
[root@localhost wilcal]# openssl ciphers -v 'AES+HIGH'
[root@localhost wilcal]# openssl speed
all work

From another system on the LAN in a terminal:
[root@localhost wilcal]# openssl s_time -connect 192.168.1.141:443
No CIPHER specified
Collecting connection statistics for 30 seconds
*******************************************.........***************************

8949 connections in 3.84s; 2330.47 connections/user sec, bytes read 0
8949 connections in 31 real seconds, 0 bytes read per connection

From another system on the LAN, test system is at 192.168.141:
[root@localhost wilcal]# openssl s_client -connect 192.168.1.141:443
CONNECTED(00000003)
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify return:1
---
Certificate chain...........
Negotiates certs and keys.

install openssl from updates_testing

Start ssl server:
[root@localhost wilcal]# openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www
Using default temp DH parameters
ACCEPT
server starts

[root@localhost wilcal]# urpmi openssl
Package openssl-1.0.2j-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi apache-mod_ssl
Package apache-mod_ssl-2.4.10-16.4.mga5.i586 is already installed

[root@localhost wilcal]# openssl version -a
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx).......

[root@localhost wilcal]# openssl ciphers -v
[root@localhost wilcal]# openssl ciphers -v -tls1
[root@localhost wilcal]# openssl ciphers -v 'HIGH'
[root@localhost wilcal]# openssl ciphers -v 'AES+HIGH'
[root@localhost wilcal]# openssl speed
all work

From another system on the LAN in a terminal:
[root@localhost wilcal]# openssl s_time -connect 192.168.1.141:443
No CIPHER specified
Collecting connection statistics for 30 seconds
************************************************......******************

8817 connections in 3.78s; 2332.54 connections/user sec, bytes read 0
8817 connections in 31 real seconds, 0 bytes read per connection

From another system on the LAN, test system is at 192.168.141:
[root@localhost wilcal]# openssl s_client -connect 192.168.1.141:443
CONNECTED(00000003)
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost.localdomain, OU = default httpd cert for localhost.localdomain, emailAddress = root@localhost.localdomain
verify return:1
---
Certificate chain
Negotiates certs and keys.
Comment 11 Lewis Smith 2016-10-11 20:34:04 CEST
(In reply to David Walser from comment #8)
> Look at the command you executed.  You specifically requested SSLv3.
Comment 5: I see what you mean - for the second ERROR:
 # openssl s_time -connect localhost:4433 -www / -new -ssl3
No CIPHER specified
Collecting connection statistics for 30 seconds
ERROR
140352903718544:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40

I was following the Wiki procedure. But for the 1st error?
 # openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key /etc/pki/tls/private/httpd.pem -www
Using default temp DH parameters
ACCEPT
140121275352720:error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:
ACCEPT               [which suggests it does not matter]

@Bill: thanks for your more comprehensive testing.

Since Bill did not get my 1st error, and has re-done the tests (& better), I am OK'ing this both architectures on his behalf; and validating the update.
Advisory to follow.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2016-10-11 20:43:36 CEST
(In reply to Lewis Smith from comment #11)
> (In reply to David Walser from comment #8)
> > Look at the command you executed.  You specifically requested SSLv3.
> Comment 5: I see what you mean - for the second ERROR:
>  # openssl s_time -connect localhost:4433 -www / -new -ssl3
> No CIPHER specified
> Collecting connection statistics for 30 seconds
> ERROR
> 140352903718544:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
> handshake failure:s3_pkt.c:1487:SSL alert number 40
> 
> I was following the Wiki procedure. But for the 1st error?
>  # openssl s_server -cert /etc/pki/tls/certs/httpd.pem -key
> /etc/pki/tls/private/httpd.pem -www
> Using default temp DH parameters
> ACCEPT
> 140121275352720:error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
> version number:s3_srvr.c:960:
> ACCEPT               [which suggests it does not matter]
> 
> @Bill: thanks for your more comprehensive testing.
> 
> Since Bill did not get my 1st error, and has re-done the tests (& better), I
> am OK'ing this both architectures on his behalf; and validating the update.
> Advisory to follow.

Lewis, I don't believe you get that error from the s_server command, but from the s_time command that follows it.  Just don't specify -ssl3 there and it works fine.
Comment 13 Mageia Robot 2016-10-12 00:12:52 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0338.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 14 David Walser 2017-01-31 12:08:42 CET
This update also fixed CVE-2016-7056 and CVE-2016-8610:
https://lwn.net/Vulnerabilities/713046/

Note You need to log in before you can comment on or make changes to this bug.