[nycbug-talk] what is the threat of the openssl advisory?
Jeff Quast
af.dingo at gmail.com
Fri Sep 29 08:50:29 EDT 2006
On 9/28/06, George Georgalis <george at galis.org> wrote:
> There was an openssl advisory today
>
> http://www.openssl.org/news/secadv_20060928.txt
> http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
>
> my primary concern is
>
> A buffer overflow was discovered in the SSL_get_shared_ciphers()
> utility function. An attacker could send a list of ciphers to an
> application that uses this function and overrun a buffer
> (CVE-2006-3738).
>
> there is no comment on if an exploit is known to exist or how
> difficult (or easy) it would be to create one based on the patch.
> http://security.freebsd.org/patches/SA-06:23/
>
> In fact the netbsd openssl looks pretty different than freebsd
> in the context of applying the patch. Can we determine a level
> of risk? Are all ssl, openvpn, ssh, https, etc servers needing
> access restricted to friendly IPs or is the threat just one bit
> inside "astronomically possible?" -- I cannot tell.
>
> // George
For OpenSSH, to cite
http://www.undeadly.org/cgi?action=article&sid=20060928025817&mode=expanded
> Re: OpenSSH 4.4 released (mod 10/10)
> by djm@ (IP 206.59.235.113) on Thu Sep 28 05:17:36 2006 (GMT)
> > It is my understanding that OpenSSH relies on OpenSSL,
> > but can we really trust OpenSSL? [etc...]
>
> OpenSSH doesn't trust OpenSSL for anything more than cryptographic
> primitives. In particular, it avoids its default RSA signature verification
> code that depends on the OpenSSL ASN.1 code - we use our own
> minimal implementation instead (ssh-rsa.c).
>
> IIRC this has saved us from at least two bugs so far: an ASN.1 bug a
> while ago and the new Bleichenbacher attack.
>
> Thanks Markus Friedl for this code :)
of course, you should always review code yourself if this is such a
serious issue. System administrators should be proficient in C for
this very reason (and why I think recent 'network security' roles
coming into corperations are full of smoke)
More information about the talk
mailing list