9 replies to this topic

[AplusWebMaster]

FYI...

OpenSSL v1.0.0a - 0.9.8o released
- http://secunia.com/advisories/40024/
Release Date: 2010-06-02
Criticality level: Moderately critical
Impact: Spoofing, DoS, System access
Where: From remote
Solution: Update to version 1.0.0a.
- http://secunia.com/advisories/40000/
Solution: Update to version 0.9.8o.
Original Advisory: http://www.openssl.o...dv_20100601.txt
[01-Jun-2010] - "OpenSSL Security Advisory...
Two security flaws have been fixed in OpenSSL 0.9.8o and OpenSSL 1.0.0a.
Invalid ASN1 module definition for CMS
CMS structures containing OriginatorInfo are mishandled this can write to invalid memory addresses or free up memory twice (CVE-2010-0742). This bug is only present in the CMS code: the older PKCS#7 code is not affected. CMS is only present in OpenSSL 0.9.8h and later where it is -disabled- by default and 1.0.0 where it is -enabled- by default. Users of OpenSSL CMS code should update to 0.9.8o or 1.0.0a which contains a patch to correct this issue...
Invalid Return value check in pkey_rsa_verifyrecover
When verification recovery fails for RSA keys an uninitialised buffer with an undefined length is returned instead of an error code (CVE-2010-1633). This bug is only present in OpenSSL 1.0.0 and only affects applications that call the function EVP_PKEY_verify_recover(). As this function is not present in previous versions of OpenSSL and not used by OpenSSL internal code very few applications should be affected. The OpenSSL utility application "pkeyutl" does use this function. Affected users should update to 1.0.0a which contains a patch to correct this bug...
- http://www.openssl.org/source/

- http://securitytrack...un/1024051.html
Jun 2 2010

Edited by AplusWebMaster, 17 November 2010 - 07:31 AM.

[AplusWebMaster]

FYI...

OpenSSL TLS server extension vuln - update available
- http://secunia.com/advisories/42243/
Release Date: 2010-11-16
Criticality level: Moderately critical
Impact: DoS, System access
Solution Status: Vendor Patch ...
CVE Reference: http://web.nvd.nist....d=CVE-2010-3864
... The vulnerability is reported in versions 0.9.8f through 0.9.8o and versions 1.0.0 and 1.0.0a.
Solution: Update to version 0.9.8p and 1.0.0b or apply patches.
Original Advisory: http://www.openssl.o...dv_20101116.txt

- http://www.securityt....com/id?1024743
Nov 16 2010

- http://www.us-cert.g...ses_openssl_1_0
November 17, 2010

Edited by AplusWebMaster, 18 November 2010 - 02:16 PM.

[AplusWebMaster]

FYI...

OpenSSL v0.9.8q-v1.0.0c released
- http://secunia.com/advisories/42473/
Last Update: 2010-12-08
Impact: Security Bypass
Where: From remote
Solution Status: Vendor Patch
CVE Reference(s):
http://web.nvd.nist....d=CVE-2008-7270
http://web.nvd.nist....d=CVE-2010-4180
... The vulnerability is reported in all versions prior to 0.9.8q or 1.0.0c.
Solution: Update to version 0.9.8q or 1.0.0c or apply patches.
Original Advisory:
http://www.openssl.o...dv_20101202.txt

[AplusWebMaster]

FYI...

OpenSSL vulns/fixes ...
- https://isc.sans.edu...l?storyid=12322
Last Updated: 2012-01-05 00:46:00 UTC - "... CVEs include:
DTLS Plaintext Recovery Attack (CVE-2011-4108)
Double-free in Policy Checks (CVE-2011-4109)
Uninitialized SSL 3.0 Padding (CVE-2011-4576)
Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
SGC Restart DoS Attack (CVE-2011-4619)
Invalid GOST parameters DoS Attack (CVE-2012-0027)
Details here: http://openssl.org/n...dv_20120104.txt
Downloads here: http://openssl.org/source/ ..."

- http://www.openssl.o...dv_20120104.txt
04 Jan 2012 - "... Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s..."

- https://secunia.com/advisories/47426/
Release Date: 2012-01-05
Criticality level: Moderately critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution: Update to version 0.9.8s or 1.0.0f.

- http://www.securityt....com/id/1026485
CVE Reference:
- http://web.nvd.nist....d=CVE-2011-4108 - 4.3
- http://web.nvd.nist....d=CVE-2011-4109 - 9.3 (HIGH)
- http://web.nvd.nist....d=CVE-2011-4576 - 5.0
- http://web.nvd.nist....d=CVE-2011-4577 - 4.3
- http://web.nvd.nist....d=CVE-2011-4619 - 5.0
- http://web.nvd.nist....d=CVE-2012-0027 - 5.0
- http://web.nvd.nist....d=CVE-2012-0390 - 4.3
Updated: Jan 6 2012
Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, User access via network
Version(s): prior to 0.9.8s; 1.x prior to 1.0.0f

Edited by AplusWebMaster, 09 January 2012 - 09:42 PM.

[AplusWebMaster]

FYI...

OpenSSL v0.9.8t, 1.0.0g released
- http://www.securityt....com/id/1026548
Date: Jan 19 2012
CVE Reference: http://web.nvd.nist....d=CVE-2012-0050 - 5.0
[Regression: "...incorrect fix for CVE-2011-4108"]
Impact: DoS via network
Version(s): 0.9.8s, 1.0.0f ...
... Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected.
Solution: The vendor has issued a fix (0.9.8t, 1.0.0g).
The vendor's advisory is available at:
http://www.openssl.o...dv_20120118.txt
18 Jan 2012 - "... Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t."

[AplusWebMaster]

FYI...

OpenSSL v1.0.1f released ...
- https://secunia.com/advisories/56286/
Last Update: 2014-01-07
Criticality: Moderately Critical
Where: From remote
Impact: DoS ...
CVE Reference(s):
- https://web.nvd.nist...d=CVE-2013-4353
- https://web.nvd.nist...d=CVE-2013-6449 - 4.3
- https://web.nvd.nist...d=CVE-2013-6450 - 5.8
Solution: Update to version 1.0.1f.
Original Advisory: OpenSSL:
https://www.openssl....news/index.html

- http://www.securityt....com/id/1029557
CVE Reference: CVE-2013-4353
Jan 7 2014
Impact: Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.1x prior to 1.0.1f...
Solution: The vendor has issued a fix (1.0.1f)...
 

Edited by AplusWebMaster, 09 January 2014 - 10:18 AM.

[AplusWebMaster]

FYI...

- https://atlas.arbor....ndex#-918139434
Extreme Severity
17 Apr 2014 - "Repurcussions from the OpenSSL Heartbleed vulnerability disclosed last week continues, with potentially compromised certificates still being used and multiple applications and devices still affected by the OpenSSL flaw..."
___

OpenSSL TLS Heartbeat - 1.0.1g
- http://www.securityt....com/id/1030026
CVE Reference: https://web.nvd.nist...d=CVE-2014-0160
Updated: Apr 11 2014
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.1 through 1.0.1f; 1.0.2-beta ...
Impact: A remote user can obtain potentially sensitive information, including encryption keys.
Solution: The vendor has issued a fix (1.0.1g; fix pending for 1.0.2-beta2).
The vendor's advisory is available at:
- http://www.openssl.o...dv_20140407.txt
"... Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
1.0.2 will be fixed in 1.0.2-beta2."

- https://secunia.com/advisories/57347/
Last Update: 2014-04-10
Where: From remote
Impact: Exposure of sensitive information...
CVE Reference(s): CVE-2014-0160
... vulnerability is reported in versions 1.0.1 through 1.0.1f.
Solution: Update to version 1.0.1g.
___

Affects 5% of Select Top Level Domains from Top 1M websites
- http://blog.trendmic...llion-websites/
Apr 10, 2014

Vulnerable sites per country
- http://blog.trendmic...SSL-scan2-L.jpg

Mobile Apps affected ...
- http://blog.trendmic...e-affected-too/
Update as of April 11, 2014 - "After doing a second round of scanning, we have found that around 7,000 apps are connected to vulnerable servers."
___

- http://www.kb.cert.org/vuls/id/720951
Last revised: 11 Apr 2014

- https://isc.sans.edu...l?storyid=17921
Last Updated: 2014-04-08 20:23:51 UTC - Version: 2

Heartbleed vendor notifications
- https://isc.sans.edu...l?storyid=17929
Last Updated: 2014-04-09 21:45:56 UTC

- http://blog.trendmic...-vulnerability/
Apr 8, 2014
___

Android OpenSSL TLS Heartbeat vuln
- https://secunia.com/advisories/57386/
Release Date: 2014-04-10
Criticality: Moderately Critical
Where: From remote
Impact: Exposure of sensitive information
Solution Status: Vendor Patch
Operating System: Android 4.x
CVE Reference(s): CVE-2014-0160
...  vulnerability is caused due to a bundled vulnerable version of OpenSSL.
For more information: https://secunia.com/SA57347/
The vulnerability is reported in version 4.1.1...
Original Advisory:
- http://googleonlines...to-address.html
April 9, 2014
Apr 12, Apr 14, Apr 16: Updated...
 

Edited by AplusWebMaster, 18 April 2014 - 09:44 AM.

[AplusWebMaster]

FYI...

OpenSSL Security Advisory 2014.06.05 ...
- https://www.openssl....dv_20140605.txt
5 Jun 2014
- https://web.nvd.nist...d=CVE-2014-0195 - 6.8
- https://web.nvd.nist...d=CVE-2014-0198 - 4.3
- https://web.nvd.nist...d=CVE-2014-0221 - 4.3
- https://web.nvd.nist...d=CVE-2014-0224 - 6.8
- https://web.nvd.nist...d=CVE-2014-3470 - 4.3
- https://web.nvd.nist...d=CVE-2010-5298 - 4.0

- https://www.openssl.org/source/

- https://isc.sans.edu...l?storyid=18211
2014-06-05 - "... update to one of these OpenSSL versions:
OpenSSL 0.9.8za
OpenSSL 1.0.0m
OpenSSL 1.0.1h ..."

- http://www.kb.cert.org/vuls/id/978508
Last revised: 19 Jun 2014
- http://www.kb.cert.o...8&SearchOrder=4
___

- https://web.nvd.nist...d=CVE-2014-0195 - 6.8
Last revised: 06/26/2014 - "... OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h... allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment..."

Metasploit ...
- http://www.rapid7.co...agment_overflow
2014-06-12
___

- http://www.securityt....com/id/1030336
CVE Reference: CVE-2014-0224
Jun 5 2014
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8za, 1.0.0m, 1.0.1h ...
Impact: A remote user can conduct a man-in-the-middle attack to decrypt and modify data.
Solution: The vendor has issued a fix (0.9.8za, 1.0.0m, 1.0.1h)...
The vendor's advisory is available at:
- http://www.openssl.o...dv_20140605.txt

> http://www.securityt....com/id/1030337

> http://www.securityt....com/id/1030338
___

- https://atlas.arbor.net/briefs/
Scanned OpenSSL Servers Vulnerable to Recent MITM Vulnerability
High Severity
June 20, 2014
A recent scan conducted by Qualys* shows that 49% of OpenSSL servers remain vulnerable to the SSL/TLS MITM (Man-in-the-Middle) vulnerability disclosed earlier this month.
Analysis: About 14% are exploitable, as they are running a newer version of OpenSSL (1.0.1). [ http://blog.ivanrist...-june-2014.html ] While the vulnerability (CVE-2014-0224**) was only publicly disclosed this month, along with several other security issues [ https://www.openssl....dv_20140605.txt ], it has likely been present since 1998. The MITM vulnerability could allow an attacker to intercept and decrypt traffic between vulnerable clients and servers. Users should ensure that any vulnerable installations of OpenSSL detailed in the advisory are upgraded as soon as possible. As demonstrated by the effects of the OpenSSL Heartbleed vulnerability several months ago, many devices including servers, applications, websites, and email/messaging clients, are greatly impacted by OpenSSL security issues...
* https://community.qu...-14-exploitable

** https://web.nvd.nist...d=CVE-2014-0224 - 6.8
 

Edited by AplusWebMaster, 28 June 2014 - 05:18 PM.

[AplusWebMaster]

FYI...

OpenSSL status - 2 months later ...

- http://blog.erratase...tbleed-two.html
June 21, 2014 - "When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't checked other ports..."

- https://www.grc.com/port_443.htm

- https://community.qu...-14-exploitable
Jun 13, 2014 - "... about 49% servers are vulnerable. About 14% (of the total number) are exploitable because they're running a newer version of OpenSSL. The rest are -probably- not exploitable, but should be upgraded because it's possible that there are other ways to exploit this problem..."
 

 

Edited by AplusWebMaster, 23 June 2014 - 02:42 PM.

[AplusWebMaster]

FYI...

OpenSSL Security Advisory
- https://www.openssl....dv_20140806.txt
Aug 6 2014 - "Information leak in pretty printing functions (CVE-2014-3508)
- https://cve.mitre.or...e=CVE-2014-3508

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information from the
stack. Applications may be affected if they echo pretty printing output to the
attacker. OpenSSL SSL/TLS clients and servers themselves are not affected.
OpenSSL 0.9.8 users should upgrade to 0.9.8zb
OpenSSL 1.0.0 users should upgrade to 1.0.0n.
OpenSSL 1.0.1 users should upgrade to 1.0.1i.

... The issue affects OpenSSL clients and allows a malicious server to crash
the client with a null pointer dereference (read) by specifying an SRP
ciphersuite even though it was not properly negotiated with the client. This can
be exploited through a Denial of Service attack.
OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i ..."
___

- http://www.securityt....com/id/1030693
CVE Reference: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139
Aug 7 2014
Impact: Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zb, 1.0.0n, 1.0.1i ...
 

Edited by AplusWebMaster, 07 August 2014 - 07:37 PM.