FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openssl -- multiple vulnerabilities

Affected packages
openssl < 1.0.2_7
1.0.1 <= mingw32-openssl < 1.0.2f
10.2 <= FreeBSD < 10.2_12
10.1 <= FreeBSD < 10.1_29
9.3 <= FreeBSD < 9.3_36

Details

VuXML ID 3679fd10-c5d1-11e5-b85f-0018fe623f2b
Discovery 2016-01-22
Entry 2016-01-28
Modified 2016-08-09

OpenSSL project reports:

  1. Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. (CVE-2016-0701)
  2. A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. (CVE-2015-3197)

References

CVE Name CVE-2015-3197
CVE Name CVE-2016-0701
FreeBSD Advisory SA-16:11.openssl
URL https://www.openssl.org/news/secadv/20160128.txt