Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Tue, 2 Jun 2009 11:02:33 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Two OpenSSL DTLS remote DoS

Hi!

There are 2 more issues that cause DTLS server to crash (NULL pointer
dereference DoS), detailed in upstream bug reports linked below.


CVE-2009-1386
DTLS: SegFault if ChangeCipherSpec is received before ClientHello

http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17369

This was first fixed upstream in 0.9.8i.


CVE-2009-1387
DTLS fragment bug - out-of-sequence message handling

http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17958

Here NULL pointer dereference resulting in DTLS server crash can happen in
dtls1_retrieve_buffered_fragment() during memcpy from frag->fragment.

This is fixed in 1.0.0-beta2, not yet in the latest 0.9.8 available at
the moment - 0.9.8k.


Both issues should be reproducible by connecting using 1.0.0-beta2
s_client to 0.9.8 s_server.

-- 
Tomas Hoger / Red Hat Security Response Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux