Bug 945905 (CVE-2015-5244) - VUL-0: CVE-2015-5244: apache2-mod_nss: incorrect ciphersuite parsing
Summary: VUL-0: CVE-2015-5244: apache2-mod_nss: incorrect ciphersuite parsing
Status: RESOLVED UPSTREAM
Alias: CVE-2015-5244
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/156578/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-15 15:23 UTC by Victor Pereira
Modified: 2016-04-27 19:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-15 15:23:26 UTC 
rh#1259216

The NSSCipherSuite option of mod_nss accepts OpenSSL-styled cipherstrings. It was found that the parsing of such cipherstrings is flawed. If this option is used to disable insecure ciphersuites using the common "!" syntax, e.g.:

NSSCipherSuite !eNULL:!aNULL:AESGCM+aRSA:ECDH+aRSA

it will actually enable those insecure ciphersuites.

Acknowledgements:

This issue was discovered Hubert Kario of Red Hat


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1259216
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5244
Comment 1 Swamp Workflow Management 2015-09-15 22:00:57 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2015-09-28 09:19:30 UTC 
can you please submit fixed pacvkages?
Comment 3 Vítězslav Čížek 2015-09-29 09:46:00 UTC 
I don't have to.

Our mod_nss doesn't support OpenSSL style cipherstrings.
We ship 1.0.8 which support only NSS style ciphers (only +-, are valid special characters)
Using exclamation mark in NSSCipherSuite will result in a parsing error.

This feature was added in 1.0.11:
https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=2d1650900f4d47dc43400d826c0f7e1a7c5229b8

Reassigning to security team.
Comment 4 Marcus Meissner 2015-10-01 09:05:02 UTC 
oki