Bug 886831 (CVE-2014-2970) - VUL-0: CVE-2014-2970: openssl: remote denial of service in SRP
Summary: VUL-0: CVE-2014-2970: openssl: remote denial of service in SRP
Status: RESOLVED DUPLICATE of bug 890765
Alias: CVE-2014-2970
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-11 10:31 UTC by Marcus Meissner
Modified: 2021-08-11 09:38 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-07-11 10:31:07 UTC 
embargoed, via CERT

Greetings folks,

While reviewing our vulnerability reports we were notified of a
vulnerability in OpenSSL 1.0.1 through 1.0.1h.  This issue has been
assigned CVE-2014-2970.

NCSC-FI forwarded this report to CERT/CC and JPCERT/CC.  It is quite
likely that you have already been notified of this vulnerability from
either NCSC-FI or JPCERT/CC.  The tracking IDs for each coordination
center are as follows:

NCSC-FI:        FICORA #802104
JPCERT/CC:      JVNVU#93614707
CERT/CC:        VU#904060

NCSC-FI has notified OpenSSL of the issue.  We will let you know of any
major updates we receive.

A copy of the original report is included at the bottom of this message.
We are also attaching additional files that the reporter submitted to
us. We are unaware of a fix or disclosure date yet from OpenSSL or
NSCS-FI. Please respect other affected parties and maintain the embargo.
Please be sure to include VU#904060 in the subject when replying to
this email.

If you have any questions or concerns, please let us know.

Best Regards,
Vulnerability Analysis Team
======================================================================
CERT Coordination Center
www.cert.org / cert@cert.org / Hotline: 1-412-268-7090
======================================================================

----- BEGIN ORIGINAL VULNERABILITY REPORT -----

In short, the client crashes when the server hello indicates a SRP
ciphersuite but omits the SRP parameters.

The client crashes with a null pointer dereference at BN_num_bits which
is called from SRP_Calc_A_param (tls_srp.c)

417         if (BN_num_bits(s->srp_ctx.N) < s->srp_ctx.strength)

while s->srp_ctx.N is NULL since the SRP parameters have not been
negotiated.

The actual crash then occurs at bn_lib.c:

int BN_num_bits(const BIGNUM *a)
{
int i = a->top - 1;

My understanding is that the impact is limited to crashing the client
(denial of service).

The attached zip file contains a capture file and a Valgrind error dump.
The zip file also contains detailed (Codenomicon) Defensics logs for
reproduction purposes.

----- END ORIGINAL VULNERABILITY REPORT -----
Comment 1 Marcus Meissner 2014-07-11 11:01:58 UTC 
openssl1 on SLE11 SP3 and openssl on openSUSE are affected.
Comment 2 SMASH SMASH 2014-07-11 12:00:21 UTC 
Affected packages:

SLE-11-SP3: openssl1
Comment 3 Swamp Workflow Management 2014-07-11 22:00:15 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2014-07-16 08:55:27 UTC 
(no updates so far)
Comment 5 Vítězslav Čížek 2014-08-11 10:46:22 UTC 
Duplicate of 890765 (CVE-2014-5139).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2970
Comment 6 Marcus Meissner 2014-08-13 14:04:26 UTC 
dup

*** This bug has been marked as a duplicate of bug 890765 ***