1 OpenSSL Security Advisory [19 Mar 2015]
2 =======================================
4 OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
5 =====================================================
9 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
10 invalid signature algorithms extension a NULL pointer dereference will occur.
11 This can be exploited in a DoS attack against the server.
13 This issue affects OpenSSL version: 1.0.2
15 OpenSSL 1.0.2 users should upgrade to 1.0.2a.
17 This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
18 of Stanford University. The fix was developed by Stephen Henson and Matt
19 Caswell of the OpenSSL development team.
21 Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
22 ============================================================================
26 This security issue was previously announced by the OpenSSL project and
27 classified as "low" severity. This severity rating has now been changed to
30 This was classified low because it was originally thought that server RSA
31 export ciphersuite support was rare: a client was only vulnerable to a MITM
32 attack against a server which supports an RSA export ciphersuite. Recent
33 studies have shown that RSA export ciphersuites support is far more common.
35 This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
37 OpenSSL 1.0.1 users should upgrade to 1.0.1k.
38 OpenSSL 1.0.0 users should upgrade to 1.0.0p.
39 OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
41 This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
42 Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
43 Henson of the OpenSSL core team. It was previously announced in the OpenSSL
44 security advisory on 8th January 2015.
46 Multiblock corrupted pointer (CVE-2015-0290)
47 ============================================
51 OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
52 only applies on 64 bit x86 architecture platforms that support AES NI
53 instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
54 internal write buffer to become incorrectly set to NULL when using non-blocking
55 IO. Typically, when the user application is using a socket BIO for writing, this
56 will only result in a failed connection. However if some other BIO is used then
57 it is likely that a segmentation fault will be triggered, thus enabling a
60 This issue affects OpenSSL version: 1.0.2
62 OpenSSL 1.0.2 users should upgrade to 1.0.2a.
64 This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and
65 Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development
68 Segmentation fault in DTLSv1_listen (CVE-2015-0207)
69 ===================================================
73 The DTLSv1_listen function is intended to be stateless and processes the initial
74 ClientHello from many peers. It is common for user code to loop over the call to
75 DTLSv1_listen until a valid ClientHello is received with an associated cookie. A
76 defect in the implementation of DTLSv1_listen means that state is preserved in
77 the SSL object from one invocation to the next that can lead to a segmentation
78 fault. Errors processing the initial ClientHello can trigger this scenario. An
79 example of such an error could be that a DTLS1.0 only client is attempting to
80 connect to a DTLS1.2 only server.
82 This issue affects OpenSSL version: 1.0.2
84 OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a.
86 This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The
87 fix was developed by Matt Caswell of the OpenSSL development team.
89 Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
90 ===================================================
94 The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
95 made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
96 certificate signature algorithm consistency this can be used to crash any
97 certificate verification operation and exploited in a DoS attack. Any
98 application which performs certificate verification is vulnerable including
99 OpenSSL clients and servers which enable client authentication.
101 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
103 OpenSSL 1.0.2 users should upgrade to 1.0.2a
104 OpenSSL 1.0.1 users should upgrade to 1.0.1m.
105 OpenSSL 1.0.0 users should upgrade to 1.0.0r.
106 OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
108 This issue was discovered and fixed by Stephen Henson of the OpenSSL
111 Segmentation fault for invalid PSS parameters (CVE-2015-0208)
112 =============================================================
116 The signature verification routines will crash with a NULL pointer
117 dereference if presented with an ASN.1 signature using the RSA PSS
118 algorithm and invalid parameters. Since these routines are used to verify
119 certificate signature algorithms this can be used to crash any
120 certificate verification operation and exploited in a DoS attack. Any
121 application which performs certificate verification is vulnerable including
122 OpenSSL clients and servers which enable client authentication.
124 This issue affects OpenSSL version: 1.0.2
126 OpenSSL 1.0.2 users should upgrade to 1.0.2a
128 This issue was was reported to OpenSSL on 31st January 2015 by Brian Carpenter
129 and a fix developed by Stephen Henson of the OpenSSL development team.
131 ASN.1 structure reuse memory corruption (CVE-2015-0287)
132 =======================================================
136 Reusing a structure in ASN.1 parsing may allow an attacker to cause
137 memory corruption via an invalid write. Such reuse is and has been
138 strongly discouraged and is believed to be rare.
140 Applications that parse structures containing CHOICE or ANY DEFINED BY
141 components may be affected. Certificate parsing (d2i_X509 and related
142 functions) are however not affected. OpenSSL clients and servers are
145 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
148 OpenSSL 1.0.2 users should upgrade to 1.0.2a
149 OpenSSL 1.0.1 users should upgrade to 1.0.1m.
150 OpenSSL 1.0.0 users should upgrade to 1.0.0r.
151 OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
153 This issue was discovered by Emilia Käsper and a fix developed by
154 Stephen Henson of the OpenSSL development team.
156 PKCS7 NULL pointer dereferences (CVE-2015-0289)
157 ===============================================
161 The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
162 An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
163 missing content and trigger a NULL pointer dereference on parsing.
165 Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
166 otherwise parse PKCS#7 structures from untrusted sources are
167 affected. OpenSSL clients and servers are not affected.
169 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
172 OpenSSL 1.0.2 users should upgrade to 1.0.2a
173 OpenSSL 1.0.1 users should upgrade to 1.0.1m.
174 OpenSSL 1.0.0 users should upgrade to 1.0.0r.
175 OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
177 This issue was reported to OpenSSL on February 16th 2015 by Michal
178 Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
181 Base64 decode (CVE-2015-0292)
182 =============================
186 A vulnerability existed in previous versions of OpenSSL related to the
187 processing of base64 encoded data. Any code path that reads base64 data from an
188 untrusted source could be affected (such as the PEM processing routines).
189 Maliciously crafted base 64 data could trigger a segmenation fault or memory
190 corruption. This was addressed in previous versions of OpenSSL but has not been
191 included in any security advisory until now.
193 This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.
195 OpenSSL 1.0.1 users should upgrade to 1.0.1h.
196 OpenSSL 1.0.0 users should upgrade to 1.0.0m.
197 OpenSSL 0.9.8 users should upgrade to 0.9.8za.
199 The fix for this issue can be identified by commits d0666f289a (1.0.1),
200 84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
201 Robert Dugal and subsequently by David Ramos.
203 DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
204 =========================================================
208 A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
209 servers that both support SSLv2 and enable export cipher suites by sending
210 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
212 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
215 OpenSSL 1.0.2 users should upgrade to 1.0.2a
216 OpenSSL 1.0.1 users should upgrade to 1.0.1m.
217 OpenSSL 1.0.0 users should upgrade to 1.0.0r.
218 OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
220 This issue was discovered by Sean Burford (Google) and Emilia Käsper
221 (OpenSSL development team) in March 2015 and the fix was developed by
224 Empty CKE with client auth and DHE (CVE-2015-1787)
225 ==================================================
229 If client auth is used then a server can seg fault in the event of a DHE
230 ciphersuite being selected and a zero length ClientKeyExchange message being
231 sent by the client. This could be exploited in a DoS attack.
233 This issue affects OpenSSL version: 1.0.2
235 OpenSSL 1.0.2 users should upgrade to 1.0.2a.
237 This issue was discovered and the fix was developed by Matt Caswell of the
238 OpenSSL development team.
240 Handshake with unseeded PRNG (CVE-2015-0285)
241 ============================================
245 Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
246 an unseeded PRNG. The conditions are:
247 - The client is on a platform where the PRNG has not been seeded automatically,
248 and the user has not seeded manually
249 - A protocol specific client method version has been used (i.e. not
250 SSL_client_methodv23)
251 - A ciphersuite is used that does not require additional random data from the
252 PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
254 If the handshake succeeds then the client random that has been used will have
255 been generated from a PRNG with insufficient entropy and therefore the output
258 For example using the following command with an unseeded openssl will succeed on
259 an unpatched platform:
261 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
263 This issue affects OpenSSL version: 1.0.2
265 OpenSSL 1.0.2 users should upgrade to 1.0.2a.
267 This issue was discovered and the fix was developed by Matt Caswell of the
268 OpenSSL development team.
270 Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
271 ===============================================================
275 A malformed EC private key file consumed via the d2i_ECPrivateKey function could
276 cause a use after free condition. This, in turn, could cause a double
277 free in several private key parsing functions (such as d2i_PrivateKey
278 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
279 for applications that receive EC private keys from untrusted
280 sources. This scenario is considered rare.
282 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
284 OpenSSL 1.0.2 users should upgrade to 1.0.2a
285 OpenSSL 1.0.1 users should upgrade to 1.0.1m.
286 OpenSSL 1.0.0 users should upgrade to 1.0.0r.
287 OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
289 This issue was discovered by the BoringSSL project and fixed in their commit
290 517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
293 X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
294 ===================================================
298 The function X509_to_X509_REQ will crash with a NULL pointer dereference if
299 the certificate key is invalid. This function is rarely used in practice.
301 This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
304 OpenSSL 1.0.2 users should upgrade to 1.0.2a
305 OpenSSL 1.0.1 users should upgrade to 1.0.1m.
306 OpenSSL 1.0.0 users should upgrade to 1.0.0r.
307 OpenSSL 0.9.8 users should upgrade to 0.9.8zf.
309 This issue was discovered by Brian Carpenter and a fix developed by Stephen
310 Henson of the OpenSSL development team.
315 As per our previous announcements and our Release Strategy
316 (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
317 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
318 releases will be provided after that date. Users of these releases are advised
324 URL for this Security Advisory:
325 https://www.openssl.org/news/secadv_20150319.txt
327 Note: the online version of the advisory may be updated with additional
330 For details of OpenSSL severity classifications please see:
331 https://www.openssl.org/about/secpolicy.html