Ben Laurie
(S/MIME signed:
https://www.cynops.de/advisories/CVE-2008-0555-signed.txt)
https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555
Vendor: Adam & Ben Laurie
Product: Apache-SSL
Website: http://www.apache-ssl.org
Vulnerability: memory disclosure, potential privilege escalation in web
applications
Class: remote
We have been following up on Ben Laurie's advisory and have replaced the
faulty certificate with a new one. In addition we created an advisory
for our users that outlines some general precautions they should take:
http://blog.beuchelt.org/2008/08/07/Some+Security+Advice+For+Our+OpenID+Users.aspx).
While these measure cannot guarantee safety, they can help improving the
situation. In addition, Robin Wilton has documented what happened here:
-----Original Message-----
From: owner-cryptography@metzdowd.com
[mailto:owner-cryptography@metzdowd.com] On Behalf Of Eric Rescorla
Sent: 8. august 2008 17:06
To: Ben Laurie
Cc: bugtraq@securityfocus.com; security@openid.net; OpenID List;
cryptography@metzdowd.com; full-disclosure@lists.grok.org.uk
Subject: Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
At Fri, 8 Aug 2008 11:50:59 +0100,
"Ben Laurie" <benl@google.com> writes:
>> It's easy to compute all the public keys that will be generated
>> by the broken PRNG. The clients could embed that list and refuse
>> to accept any certificate containing one of them. So, this
>> is distinct from CRLs in that it doesn't require knowing
>> which servers have which cert...
>
> It also only fixes this single type of key compromise. Surely it is
> time to stop ignoring CRLs before something more serious goes wrong?
Farnam Jahanian (University of Michigan, USA)
Rob Johnson (Stony Brook University, USA)
Apu Kapadia (MIT Lincoln Labs, USA)
Yoshi Kohno (University of Washington, USA)
Shriram Krishnamurti (Brown University, USA)
Ben Laurie (Google UK)
Wenke Lee (Georgia Tech, USA)
Brian Levine (U of Massachusetts Amherst, USA)
Ninghui Li (Purdue University, USA)
Patrick McDaniel (Penn State University, USA)
Cathy Meadows (Naval Research Laboratory, USA)
On 8-Aug-08, at 10:11 AM, Ben Laurie wrote:
>
> It also only fixes this single type of key compromise. Surely it is
> time to stop ignoring CRLs before something more serious goes wrong?
Clearly many implementors have chosen to *knowingly* ignore CRLs
despite the security implications, so my take away would be that the
current public key infrastructure is flawed.
-- Dick
Changed with Apache-SSL 1.3.41/1.60
*) For some reason I switched on renegotiation, which broke
things. For now, switched back off.
[Ben Laurie]
The release will take a while to find it's way to mirrors, which can
themselves be found here:
http://www.apache-ssl.org/
Dave Korn wrote:
>
> Eric Rescorla wrote on 08 August 2008 16:06:
>
> > At Fri, 8 Aug 2008 11:50:59 +0100,
> > Ben Laurie wrote:
> >> However, since the CRLs will almost certainly not be checked, this
> >> means the site will still be vulnerable to attack for the lifetime of
> >> the certificate (and perhaps beyond, depending on user
> >> behaviour). Note that shutting down the site DOES NOT prevent the attack.
> >>
Security Advisory (08-AUG-2008) (CVE-2008-3280)
===============================================
Ben Laurie of Google's Applied Security team, while working with an
external researcher, Dr. Richard Clayton of the Computer Laboratory,
Cambridge University, found that various OpenID Providers (OPs) had
TLS Server Certificates that used weak keys, as a result of the Debian
Predictable Random Number Generator (CVE-2008-0166).
In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
> Dave Korn wrote:
>>
>> Eric Rescorla wrote on 08 August 2008 16:06:
>>
>>> At Fri, 8 Aug 2008 11:50:59 +0100,
>>> Ben Laurie wrote:
>>>> However, since the CRLs will almost certainly not be checked, this
>>>> means the site will still be vulnerable to attack for the lifetime of
>>>> the certificate (and perhaps beyond, depending on user
>>>> behaviour). Note that shutting down the site DOES NOT prevent the
>>>> attack.
Eric Rescorla wrote on 08 August 2008 16:06:
> At Fri, 8 Aug 2008 11:50:59 +0100,
> Ben Laurie wrote:
>> However, since the CRLs will almost certainly not be checked, this
>> means the site will still be vulnerable to attack for the lifetime of
>> the certificate (and perhaps beyond, depending on user
>> behaviour). Note that shutting down the site DOES NOT prevent the attack.
>>
>> Therefore mitigation falls to other parties.
>>
>>> Eric Rescorla wrote on 08 August 2008 16:06:
>>>
>>>
>>>> At Fri, 8 Aug 2008 11:50:59 +0100,
>>>> Ben Laurie wrote:
>>>>
>>>>> However, since the CRLs will almost certainly not be checked, this
>>>>> means the site will still be vulnerable to attack for the lifetime of
>>>>> the certificate (and perhaps beyond, depending on user
>>>>> behaviour). Note that shutting down the site DOES NOT prevent the attack.
On Fri, Aug 8, 2008 at 8:27 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg@startcom.org> wrote:
> Ben Laurie:
>
> On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.)
> <eddy_nigg@startcom.org> wrote:
>
>
> This affects any web site and service provider of various natures. It's not
> exclusive for OpenID nor for any other protocol / standard / service! It may
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
> However, since the CRLs will almost certainly not be checked, this
> means the site will still be vulnerable to attack for the lifetime of
> the certificate (and perhaps beyond, depending on user
> behaviour). Note that shutting down the site DOES NOT prevent the
> attack.
>
> Therefore mitigation falls to other parties.
>
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-03 15:25:11 UTC (RELENG_7, 7.4-STABLE)
2012-05-03 15:25:11 UTC (RELENG_7_4, 7.4-RELEASE-p7)
2012-05-03 15:25:11 UTC (RELENG_8, 8.3-STABLE)
>
>> Eric Rescorla wrote on 08 August 2008 16:06:
>>
>>
>>> At Fri, 8 Aug 2008 11:50:59 +0100,
>>> Ben Laurie wrote:
>>>
>>>> However, since the CRLs will almost certainly not be checked, this
>>>> means the site will still be vulnerable to attack for the lifetime of
>>>> the certificate (and perhaps beyond, depending on user
>>>> behaviour). Note that shutting down the site DOES NOT prevent the attack.
> Dave Korn wrote:
>>
>> Eric Rescorla wrote on 08 August 2008 16:06:
>>
>> > At Fri, 8 Aug 2008 11:50:59 +0100,
>> > Ben Laurie wrote:
>> >> However, since the CRLs will almost certainly not be checked, this
>> >> means the site will still be vulnerable to attack for the lifetime of
>> >> the certificate (and perhaps beyond, depending on user
>> >> behaviour). Note that shutting down the site DOES NOT prevent the attack.
>> >>
buffer [5] before returning.
Vendor response:
2007/06/06 Initial contact with openssl-security@openssl.org
2007/07/06 Response received by Ben Laurie <ben@links.org>
regarding a proposed fix.
2007/09/19 Fix committed to the OpenSSL_0_9_8-stable branch
in CVS.
Vulnerable packages:
|
