Posts

New OpenSSL Vulnerabilities (Aug 29, 2014)

The security industry starts putting more resources reviewing the source code of OpenSSL project when the infamous HeartBleed bug was disclosed. Since then several new vulnerabilities are discovered and OpenSSL has released patches for them. These operations would make the Internet more secure if everyone adopts the latest OpenSSL libraries as soon as they become available. Dell SonicWALL keeps monitoring OpenSSL related news and reacts immediately; following are some incidents:

CVE-2014-3470 The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.

Related signature(s):

  • 4790 OpenSSL Anonymous ECDH DoS 1
  • 4822 OpenSSL Anonymous ECDH DoS 2

CVE-2014-3506 d1_both.c in the DTLS implementation in OpenSSL allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.

Related signature(s):

  • 5210 OpenSSL DTLS handshake DoS

CVE-2014-3507 Memory leak in d1_both.c in the DTLS implementation in OpenSSL allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.

Related signature(s):

  • 5127 OpenSSL DTLS Zero-Length Fragments DoS

CVE-2014-3512 Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.

Related signature(s):

  • 5211 OpenSSL Invalid SRP Parameters Buffer Overflow

OpenSSL SSL/TLS MITM vulnerability (June 6, 2014)

Since the OpenSSL Heartbleed vulnerability (CVE-2014-0160) was released on April 7th, everyone talked about how to prevent similar bugs, and the existing code has been scrutinized more often. On June 5th, OpenSSL released a security advisory covering six vulnerabilities. Among them, SSL/TLS MITM vulnerability (CVE-2014-0224) is rated as the most important one.

This MITM vulnerability affects OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. The vulnerable code in these versions of OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information.

The patch to this vulnerability has been released on Fri, May 16th 2014. It correctly checks when to accept the CCS message. The following code snippet sets the new SSL3_FLAGS_CCS_OK flag in order to achieve this:

And the following code tests the flag before processing the CCS message:

To eliminate the vulnerabilities, please upgrade to the following versions accordingly:

  • OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
  • OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
  • OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Dell SonicWALL has researched this vulnerability and released the following IPS signature to protect their customers:

  • IPS: 10386 Excessive SSL Change Cipher Spec Messages.

Dell SonicWALL has also released another IPS signature to cover DTLS invalid fragment vulnerability (CVE-2014-0195).

  • IPS: 10387 OpenSSL DTLS Fragmentation DoS

OpenSSL HeartBleed Vulnerability(CVE-2014-0160) Actively Targeted(Apr 9, 2014)

Dell SonicWALL Threats Research Team has observed the OpenSSL HeartBleed Vulnerability being actively targeted in the wild.

This Critical vulnerability has been assigned CVE-2014-0160. This is an Information Disclosure Vulnerability which can be used to reveal up to 64K of memory due to an incorrect bounds check. OpenSSL has also released a Security Advisory that addresses this issue. Since the OpenSSL vulnerable version 1.0.1 has been in the field since March of 2012, in addition to applying the OpenSSL version 1.0.1g patch issued on April 7th, 2014, please issue new keys and revoke any previous keys based on insecure versions.

Dell SonicWALL firewalls with activated Intrusion Prevention protect customers’ servers against this attack with the following signatures by testing the bytes in the heartbeat packet against the limits that are outside the normal bounds:

  • IPS:3616 OpenSSL Heartbleed Information Disclosure 1
  • IPS:3638 OpenSSL Heartbleed Information Disclosure 2
  • IPS:3652 OpenSSL Heartbleed Information Disclosure 3
  • IPS:3653 OpenSSL Heartbleed Information Disclosure 4
  • IPS:3661 OpenSSL Heartbleed Information Disclosure 5
  • IPS:3663 OpenSSL Heartbleed Information Disclosure 6

The following is the format of a HeartBeat Request. Malicious attackers can craft this specific request to extract sensitive information from vulnerable servers not behind a Next Gen firewall.

Following stats show how this attack is being actively exploited.

Here, it is quite evident that the hourly hits are increasing.

The distribution below shows USA being targeted the most.