xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

OpenSSL ASN.1超长递归远程拒绝服务漏洞


发布时间:2003-11-04
更新时间:2003-11-04
严重程度:
威胁程度:远程拒绝服务
错误类型:意外情况处置错误
利用方式:服务器模式

BUGTRAQ ID:8970
CVE(CAN) ID:CAN-2003-0851

受影响系统
Cisco CSS11000 Content Services Switch
Cisco IOS 12.1 (11b)E
Cisco IOS 12.1 (11)E
Cisco IOS 12.2 SY
Cisco IOS 12.2 SX
Cisco PIX Firewall 6.0 (4.101)
Cisco PIX Firewall 6.0 (4)
Cisco PIX Firewall 6.0 (2)
Cisco PIX Firewall 6.0 (1)
Cisco PIX Firewall 6.0
   + Cisco PIX Firewall 515
   + Cisco PIX Firewall 520
Cisco PIX Firewall 6.0.3
Cisco PIX Firewall 6.0.4
Cisco PIX Firewall 6.1 (5)
Cisco PIX Firewall 6.1 (4)
Cisco PIX Firewall 6.1 (3)
Cisco PIX Firewall 6.1 (2)
Cisco PIX Firewall 6.1 (1)
Cisco PIX Firewall 6.1
   + Cisco PIX Firewall 515
   + Cisco PIX Firewall 520
Cisco PIX Firewall 6.1.3
Cisco PIX Firewall 6.1.4
Cisco PIX Firewall 6.2 (3)
Cisco PIX Firewall 6.2 (2)
Cisco PIX Firewall 6.2 (1)
Cisco PIX Firewall 6.2
Cisco PIX Firewall 6.2.1
Cisco PIX Firewall 6.2.2 .111
Cisco PIX Firewall 6.2.2
Cisco PIX Firewall 6.3 (3.102)
Cisco PIX Firewall 6.3 (1)
OpenSSL Project OpenSSL 0.9.6 k
   + BlueCoat Systems CacheOS CA/SA 4.1.10
   + BlueCoat Systems Security Gateway OS 2.0
   + BlueCoat Systems Security Gateway OS 2.1.9
   + BlueCoat Systems Security Gateway OS 2.1.5001 SP1
   + BlueCoat Systems Security Gateway OS 3.0
   + BlueCoat Systems Security Gateway OS 3.1
OpenSSL Project OpenSSL 0.9.6 j
OpenSSL Project OpenSSL 0.9.6 i
   + HP Apache-Based Web Server 1.3.27 .00
   + HP Apache-Based Web Server 1.3.27 .01
   + HP HP-UX Apache-Based Web Server 1.0 .01
   + HP HP-UX Apache-Based Web Server 1.0 .02.01
   + HP HP-UX Apache-Based Web Server 1.0.1 .01
   + S.u.S.E. Linux 8.2
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
   + FreeBSD FreeBSD 4.7
   + FreeBSD FreeBSD 4.7 -RELEASE
   + HP Apache-Based Web Server 2.0.43 .00
   + HP Apache-Based Web Server 2.0.43 .04
   + HP Webmin-Based Admin 1.0 .01
   + Immunix Immunix OS 7+
   + NetBSD NetBSD 1.6
   + OpenPKG OpenPKG 1.1
OpenSSL Project OpenSSL 0.9.6 f
OpenSSL Project OpenSSL 0.9.6 e
   + FreeBSD FreeBSD 4.6
   + FreeBSD FreeBSD 4.6 -RELEASE
OpenSSL Project OpenSSL 0.9.6 d
   + Slackware Linux 8.1
OpenSSL Project OpenSSL 0.9.6 c
   + Conectiva Linux 8.0
   + Debian Linux 3.0
   + MandrakeSoft Linux Mandrake 8.2
   + S.u.S.E. Linux 8.0
   + S.u.S.E. Linux 8.0 i386
OpenSSL Project OpenSSL 0.9.6 b
   + MandrakeSoft Linux Mandrake 8.1
   + MandrakeSoft Linux Mandrake 8.1 ia64
   + OpenBSD OpenBSD 3.0
   + OpenBSD OpenBSD 3.1
   + RedHat Enterprise Linux AS 2.1
   + RedHat Enterprise Linux AS 2.1 IA64
   + RedHat Enterprise Linux ES 2.1
   + RedHat Enterprise Linux ES 2.1 IA64
   + RedHat Enterprise Linux WS 2.1
   + RedHat Enterprise Linux WS 2.1 IA64
   + RedHat Linux 7.2
   + RedHat Linux 7.2 i386
   + RedHat Linux 7.2 i686
   + RedHat Linux 7.2 ia64
   + RedHat Linux 7.3
   + RedHat Linux 7.3 i386
   + RedHat Linux Advanced Work Station 2.1
   + S.u.S.E. Linux 7.3 i386
   + S.u.S.E. Linux 7.3 ppc
   + S.u.S.E. Linux 7.3 sparc
   + S.u.S.E. Linux Connectivity Server
   + S.u.S.E. Linux Database Server
   + S.u.S.E. Linux Enterprise Server 7
   + S.u.S.E. Linux Firewall on CD
   + S.u.S.E. Office Server
   + S.u.S.E. SuSE eMail Server III
   + Sun Linux 5.0
   + Sun Linux 5.0.3
   + Sun Linux 5.0.5
   + Sun Linux 5.0.6
   + Sun Linux 5.0.7
OpenSSL Project OpenSSL 0.9.6 a
   + Conectiva Linux 7.0
   + NetBSD NetBSD 1.5
   + NetBSD NetBSD 1.5.1
   + NetBSD NetBSD 1.5.2
   + NetBSD NetBSD 1.5.3
   + S.u.S.E. Linux 7.1
   + S.u.S.E. Linux 7.1 alpha
   + S.u.S.E. Linux 7.1 ppc
   + S.u.S.E. Linux 7.1 sparc
   + S.u.S.E. Linux 7.2 i386
OpenSSL Project OpenSSL 0.9.6
   + Caldera OpenLinux Server 3.1
   + Caldera OpenLinux Server 3.1.1
   + Caldera OpenLinux Workstation 3.1
   + Caldera OpenLinux Workstation 3.1.1
   + Conectiva Linux 6.0
   + EnGarde Secure Linux 1.0.1
   + HP Secure OS software for Linux 1.0
   + MandrakeSoft Linux Mandrake 8.0
   + MandrakeSoft Linux Mandrake 8.0 ppc
   + NetBSD NetBSD 1.5
   + NetBSD NetBSD 1.5.1
   + NetBSD NetBSD 1.5.2
   + NetBSD NetBSD 1.5.3
   + NetBSD NetBSD 1.6
   + NetBSD NetBSD 1.6 beta
   + OpenBSD OpenBSD 2.9
   + OpenPKG OpenPKG 1.0
   + RedHat Linux 7.0 alpha
   + RedHat Linux 7.0 i386
   + RedHat Linux 7.0 sparc
   + RedHat Linux 7.1 alpha
   + RedHat Linux 7.1 i386
   + RedHat Linux 7.2 alpha
   + RedHat Linux 7.2 i386
   + RedHat Linux 7.3
   + RedHat Linux 7.3 i386
   + Trustix Secure Linux 1.1
   + Trustix Secure Linux 1.2
   + Trustix Secure Linux 1.5
OpenSSL Project OpenSSL 0.9.7 b
OpenSSL Project OpenSSL 0.9.7 a
   + OpenPKG OpenPKG Current
OpenSSL Project OpenSSL 0.9.7
   + Caldera OpenUnix 8.0
   + Caldera UnixWare 7.1.1
   + Caldera UnixWare 7.1.3
   + FreeBSD FreeBSD 5.0
   + OpenBSD OpenBSD 3.2
   + OpenPKG OpenPKG 1.2
Opera Software Opera Web Browser 7.20
Opera Software Opera Web Browser 7.21
Opera Software Opera Web Browser 7.22
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.20 m
SGI IRIX 6.5.20 f
SGI IRIX 6.5.21 m
SGI IRIX 6.5.21 f
未影响系统
BlueCoat Systems CacheOS CA/SA 4.1.12
BlueCoat Systems Security Gateway OS 2.1.10
BlueCoat Systems Security Gateway OS 3.1.2
OpenSSL Project OpenSSL 0.9.6 l
OpenSSL Project OpenSSL 0.9.7 c
Opera Software Opera Web Browser 7.23
详细描述
OpenSSL 0.9.6存在一个漏洞可导致部分ASN.1序列触发大的递归,在如WIndows平台上,这个超大递归不能正确处理,因此会导致OpenSSl崩溃。攻击者如果可以发送任意ASN.1序列可导致OpenSSL崩溃,发送一个客户端证书给SSL/TLS服务器会导致中断SSL连接。

解决方案
补丁下载:

OpenSSL Project OpenSSL 0.9.6 k:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 j:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 i:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 h:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 g:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 f:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 e:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 d:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 c:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 b:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6 a:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.6:

OpenSSL Project Upgrade openssl-0.9.6l.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.7 b:

OpenSSL Project Upgrade openssl-0.9.7c.tar.gz
ftp://ftp.openssl.org/source/

OpenSSL Project OpenSSL 0.9.7 a:

OpenSSL Project Upgrade openssl-0.9.7c.tar.gz
ftp://ftp.openssl.org/source/

Opera Software Opera Web Browser 7.20:

Opera Software Upgrade Opera 7.23 for Windows
http://www.opera.com/download/

Opera Software Opera Web Browser 7.21:

Opera Software Upgrade Opera 7.23 for Windows
http://www.opera.com/download/

Opera Software Opera Web Browser 7.22:

Opera Software Upgrade Opera 7.23 for Windows
http://www.opera.com/download/

SGI IRIX 6.5.19 m:

SGI Upgrade patch5362.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.19/patch5362.tar

SGI IRIX 6.5.19 f:

SGI Upgrade patch5362.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.19/patch5362.tar

SGI IRIX 6.5.20 m:

SGI Upgrade patch5405.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.20/patch5405.tar

SGI IRIX 6.5.20 f:

SGI Upgrade patch5405.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.20/patch5405.tar

SGI IRIX 6.5.21 m:

SGI Upgrade patch5363.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.21/patch5363.tar

SGI IRIX 6.5.21 f:

SGI Upgrade patch5363.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.21/patch5363.tar

相关信息
参考:http://www.securityfocus.com/advisories/6134
http://www.securityfocus.com/advisories/6021
http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml
http://www.openssl.org/news/secadv_20031104.txt
http://www.bluecoat.com/support/knowledge/advisory_ASN1_parsing_0.9.6.l.html