Bugzilla – Bug 934489
VUL-0: CVE-2015-1789: openssl,openssl1: OpenSSL: Exploitable out-of-bounds read in X509_cmp_time
Last modified: 2022-02-16 21:19:07 UTC
https://openssl.org/news/secadv_20150611.txt Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) =============================================================== Severity: Moderate X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.2 users should upgrade to 1.0.2b OpenSSL 1.0.1 users should upgrade to 1.0.1n OpenSSL 1.0.0 users should upgrade to 1.0.0s OpenSSL 0.9.8 users should upgrade to 0.9.8zg This issue was reported to OpenSSL on 8th April 2015 by Robert Swiecki (Google), and independently on 11th April 2015 by Hanno Böck. The fix was developed by Emilia Käsper of the OpenSSL development team.
https://blogs.akamai.com/2015/06/openssl-vulnerability-update.html seems to have no reproducer, but it might have ... need to check
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-06-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61984
This is an autogenerated message for OBS integration: This bug (934489) was mentioned in https://build.opensuse.org/request/show/311804 13.2+13.1 / openssl
This is an autogenerated message for OBS integration: This bug (934489) was mentioned in https://build.opensuse.org/request/show/311821 13.2+13.1 / openssl
bugbot adjusting priority
From Hanno Boeck: https://blog.fuzzing-project.org/15-Out-of-bounds-read-in-OpenSSL-function-X509_cmp_time-CVE-2015-1789-and-other-minor-issues.html Lately I started an effort to systematically fuzz all possible file input vectors of OpenSSL. This led to the discovery of one potential security issue and two minor non-security fixes. Malformed inputs can cause an out of bounds heap read access in the function X509_cmp_time. This issue was reported to the OpenSSL developers on 11th March. It was independently discovered three days earlier by Google developer Robert Swiecki. During the fuzzing I also discovered several issues in the parser of ASN1 definition files. These can be used to create ASN1 data structures with OpenSSL. It is unlikely that there is any situation where ASN1 definitions are attacker controlled, therefore these are not considered security issues. The latest security updates of OpenSSL (1.0.2b, 1.0.1n, 1.0.0s, 0.9.8zg) fix all three issues. These releases also fix a number of other security issues. Shortly after publishing these updates OpenSSL issued another update (1.0.2c, 1.0.1o), because the versions contained an ABI change which should not happen in minor releases. I am aware that a couple of other people were also fuzzing OpenSSL lately. Noteworthy is one issue that was found by Joseph Birr-Pixton in the parser of elliptic curve parameters. It is an endless loop and can be used to hang processes with a high CPU load. Endless loop issues tend to get ignored because they are often false positives. https://jbp.io/2015/06/11/cve-2015-1788-openssl-binpoly-hang/ It is definitely getting harder finding any new issues through fuzzing in OpenSSL. This is good news. Out of bounds read in X509_cmp_time CVE-2015-1789 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1789 Git commit / fix https://github.com/openssl/openssl/commit/f48b83b4fb7d6689584cf25f61ca63a4891f5b11 OpenSSL Security Advisory https://openssl.org/news/secadv_20150611.txt Sample malformed cert (test with openssl verify [input]) https://crashes.fuzzing-project.org/openssl-verify-oob.crt Samples for issues in ASN1 definition parser (test with openssl asn1parse -genconf [input]): Out of bounds read heap https://crashes.fuzzing-project.org/openssl-asn1-oob.asn Stack overflow through endless recursion https://crashes.fuzzing-project.org/openssl-asn1-stack.asn Uninitialized memory access https://crashes.fuzzing-project.org/openssl-asn1-uninitialized.asn -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: BBB51E42
Created attachment 637737 [details] openssl-verify-oob.crt valgrind openssl verify openssl-verify-oob.crt before reports error: ==9249== Address 0x5ca508e is 0 bytes after a block of size 14 alloc'd after: should not report error
QA REPRODUCER above
Created attachment 637738 [details] openssl-asn1-oob.asn REPRODUCER: openssl asn1parse -genconf openssl-asn1-oob.asn causes memory corruption backtrace before (on 13.2)
Created attachment 637739 [details] openssl-asn1-stack.asn REPRODUCER: openssl asn1parse -genconf openssl-asn1-stack.asn before: Segmentation fault after: should not segfault
I think we can ignore those. they are in the ASN1 description language parser which is not exposed to attackers. So only do the reproducer test from #c11 valgrind openssl verify openssl-verify-oob.crt
openSUSE-SU-2015:1139-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 931698,933898,933911,934487,934489,934491,934493,934494 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000 Sources used: openSUSE 13.2 (src): openssl-1.0.1k-2.24.1 openSUSE 13.1 (src): openssl-1.0.1k-11.72.1
The reproducer does NOT work on SLES 10. The test certificate is elliptic curve signed and SLES 10 openssl does not have elliptic curves. The same goes for compat-openssl097g on SLE11 too. (This is more a testcase issue. The bug is present and would happen if we would have a rsa signed cert.)
probably also not reproducible on sles11 openssl: 24577:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:163: weird.
SUSE-SU-2015:1143-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 926597,929678,931698,933898,933911,934487,934489,934491,934493 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): openssl-1.0.1i-25.1 SUSE Linux Enterprise Server 12 (src): openssl-1.0.1i-25.1 SUSE Linux Enterprise Desktop 12 (src): openssl-1.0.1i-25.1
SUSE-SU-2015:1150-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 879179,929678,931698,933898,933911,934487,934489,934491,934493 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000 Sources used: SUSE Linux Enterprise Module for Legacy Software 12 (src): compat-openssl098-0.9.8j-78.1 SUSE Linux Enterprise Desktop 12 (src): compat-openssl098-0.9.8j-78.1
SUSE-SU-2015:1181-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 929678,931698,934487,934489,934491 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-4000 Sources used: SLE CLIENT TOOLS 10 for x86_64 (src): openssl-0.9.8a-18.92.1 SLE CLIENT TOOLS 10 for s390x (src): openssl-0.9.8a-18.92.1 SLE CLIENT TOOLS 10 (src): openssl-0.9.8a-18.92.1
SUSE-SU-2015:1182-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 879179,929678,931698,933898,933911,934487,934489,934491,934493 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000 Sources used: SUSE Studio Onsite 1.3 (src): openssl-0.9.8j-0.72.1 SUSE Manager 1.7 for SLE 11 SP2 (src): openssl-0.9.8j-0.72.1
SUSE-SU-2015:1183-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 929678,931698,934489,934491 CVE References: CVE-2015-1789,CVE-2015-1790,CVE-2015-4000 Sources used: SUSE Linux Enterprise for SAP Applications 11 SP2 (src): compat-openssl097g-0.9.7g-146.22.31.1 SUSE Linux Enterprise for SAP Applications 11 SP1 (src): compat-openssl097g-0.9.7g-146.22.31.1
SUSE-SU-2015:1184-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 929678,931698,933911,934487,934489,934491,934493 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-3216,CVE-2015-4000 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): openssl-0.9.8j-0.72.1
SUSE-SU-2015:1185-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 929678,931698,933911,934487,934489,934491,934493,934494 CVE References: CVE-2014-8176,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-4000 Sources used: SUSE Linux Enterprise Security Module 11 SP3 (src): openssl1-1.0.1g-0.30.1
SUSE-SU-2015:1181-2: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 929678,931698,934487,934489,934491 CVE References: CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-4000 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): openssl-0.9.8a-18.92.1
SUSE-SU-2015:1183-2: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 929678,931698,934489,934491 CVE References: CVE-2015-1789,CVE-2015-1790,CVE-2015-4000 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): compat-openssl097g-0.9.7g-13.31.1 SUSE Linux Enterprise Desktop 11 SP3 (src): compat-openssl097g-0.9.7g-146.22.31.1 SLES for SAP Applications (src): compat-openssl097g-0.9.7g-146.22.31.1
openSUSE-SU-2015:1277-1: An update that solves 16 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 912015,912018,912292,912293,912296,919648,920236,922496,922499,922500,931600,934487,934489,934491,934493,934494,937891 CVE References: CVE-2014-3570,CVE-2014-3572,CVE-2014-8176,CVE-2014-8275,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1792,CVE-2015-4000 Sources used: openSUSE 13.2 (src): libressl-2.2.1-2.3.1
all released
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.