Guest

Cisco Event Response: OpenSSL Vulnerabilities

Cisco Event Response: OpenSSL Vulnerabilities

Threat Summary: June 6, 2014

This information has been produced in reference to the recent OpenSSL vulnerabilities that have been made public at openssl.com.

 

Event Intelligence

The following Cisco content is associated with this Event Response Page:

Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

Cisco IntelliShield Alert: OpenSSL SSL/TLS Handshake Processing Weak Encryption Usage Information Disclosure Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=34548

Cisco IntelliShield Alert: OpenSSL DTLS Handshake Processing Recursion Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=34547

Cisco IntelliShield Alert: OpenSSL DTLS Fragment Processing Buffer Overflow Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=34546

Cisco IntelliShield Alert: OpenSSL TLS Client ECDH Ciphersuite Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=34549

Cisco Security Blog Posts
http://blogs.cisco.com/security/a-collection-of-cryptographic-vulnerabilities/

Vulnerability Characteristics

The OpenSSL SSL/TLS Handshake Processing Weak Encryption Usage Information Disclosure Vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0224.

The vulnerability is due to weak cryptographic keys that could be determined by an attacker. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted handshake packet to a targeted system. If successful, the attacker could perform a man-in-the-middle attack against a targeted system.

The OpenSSL DTLS Fragment Processing Buffer Overflow Vulnerability has been assigned CVE ID CVE-2014-0195.

The vulnerability is due to improper handling of Datagram Transport Layer Security (DTLS) fragments by a system running the affected application. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted DTLS fragments to a targeted system. A successful exploit could cause a buffer overrun condition that the attacker could use to execute arbitrary code on the system.

The OpenSSL DTLS Handshake Processing Recursion Denial of Service Vulnerability has been assigned CVE ID CVE-2014-0221.

The vulnerability is due to improper handling of certain DTLS ServerHello requests by a system running the affected application. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted DTLS handshake request to a targeted system. A successful exploit could cause the affected application to recurse and crash, resulting in a denial of service (DoS) condition.

The OpenSSL TLS Client ECDH Ciphersuite Denial of Service Vulnerability has been assigned CVE ID CVE-2014-3470.

The vulnerability is due to way the affected software performs an anonymous Elliptic Curve Diffie-Hellman (ECDH) key exchange. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted handshake packet to a targeted system. A successful exploit could cause the affected application to crash, resulting in a DoS condition.

Three additional previously disclosed vulnerabilities are also mentioned in the OpenSSL bulletin:

  • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
  • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
  • CVE-2014-0076 ECDSA NONCE Side-Channel Recovery Attack Vulnerability

OpenSSL has confirmed these vulnerabilities and released software updates.

Impact on Cisco Products

The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by these vulnerabilities. Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products was published and includes information on vulnerable products and products confirmed not vulnerable. The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.

The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.

Mitigation Summary

Effective use of Cisco Sourcefire Next-Generation Intrusion Prevention System (NGIPS) event actions provides visibility into and protection against attacks that attempt to exploit one of these vulnerabilities. The Cisco Sourcefire Snort SIDs for CVE-2014-3470 are 30790 through 30793. The Cisco Sourcefire Snort SIDs for CVE-2014-0221 are 31180 and 31181. The VRT also wrote signatures 30520 through 30523 for exploit attempts against OpenSSL clients.

References