crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.

Updated rhevm-spice-client packages that fix multiple security issues are now available for Red Hat Enterprise Virtualization Manager 3.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat Enterprise Virtualization Manager provides access to virtual machines using SPICE. These SPICE client packages provide the SPICE client and usbclerk service for both Windows 32-bit operating systems and Windows 64-bit operating systems.

The rhevm-spice-client package includes the mingw-virt-viewer Windows SPICE client. OpenSSL, a general purpose cryptography library with a TLS implementation, is bundled with mingw-virt-viewer. The mingw-virt-viewer package has been updated to correct the following issues :

An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.
(CVE-2014-0160)

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169)

A NULL pointer dereference flaw was found in the way OpenSSL handled TLS/SSL protocol handshake packets. A specially crafted handshake packet could cause a TLS/SSL client using OpenSSL to crash.
(CVE-2013-4353)

It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. (CVE-2012-4929)

Red Hat would like to thank the OpenSSL project for reporting CVE-2014-0160. Upstream acknowledges Neel Mehta of Google Security as the original reporter.

The updated mingw-virt-viewer Windows SPICE client further includes OpenSSL security fixes that have no security impact on mingw-virt-viewer itself. The security fixes included in this update address the following CVE numbers :

CVE-2013-6449, CVE-2013-6450, CVE-2012-2686, and CVE-2013-0166

All Red Hat Enterprise Virtualization Manager users are advised to upgrade to these updated packages, which address these issues.

openssl was updated to 1.0.1e, fixing bugs and security issues :

o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. o Include the fips configuration module. o Fix OCSP bad key DoS attack CVE-2013-0166 bnc#802746 o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 bnc#802184 o Fix for TLS AESNI record handling flaw CVE-2012-2686

Also the following buyg was fixed: bnc#757773 - c_rehash to accept more filename extensions

openssl was updated to 1.0.0k security release to fix bugs and security issues. (bnc#802648 bnc#802746) The version was upgraded to avoid backporting the large fixes for SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169) TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) OCSP invalid key DoS issue (CVE-2013-0166)

Also the following bugfix was included: bnc#757773 - c_rehash to accept more filename extensions

The remote host is affected by the vulnerability described in GLSA-201312-03 (OpenSSL: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSSL. Please review       the CVE identifiers referenced below for details.
  Impact :

    Remote attackers can determine private keys, decrypt data, cause a       Denial of Service or possibly have other unspecified impact.
  Workaround :

    There is no known workaround at this time.

The remote host is missing Mac OS X security update 2013-004 that fixes multiple security issues. 

The remote host is running a version of Mac OS X 10.8 that is older than 10.8.5. The newer version contains numerous security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

 This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

 Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied.  This update contains several security-related fixes for the following component :

  - Apache
  - Bind
  - Certificate Trust Policy
  - ClamAV
  - Installer
  - IPSec
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - QuickTime
  - sudo

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

Versions of OpenSSL prior to 0.9.8y are reportedly affected by the following vulnerabilities :

  - An error exists related to the handling of OCSP response verification that could allow denial of service attacks. (CVE-2013-0166)

  - An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)

The remote host is running a version of IBM Tivoli Endpoint Manager Server prior to 8.2.1372. It is, therefore, affected by multiple vulnerabilities :

  - Multiple SSL related denial of service vulnerabilities     exist. (CVE-2012-2686, CVE-2013-0166)

  - An SSL side-channel timing analysis attack allows full     or partial plaintext recovery by a third-party listener.
    (CVE-2013-0169)

  - A cross-site request forgery vulnerability exists in the     Use Analysis Application that can be exploited via a     specially crafted AMF message. (CVE-2013-0452)

  - An unspecified cross-site scripting vulnerability exists     in IBM Tivoli Endpoint Manager Web Reports.
    (CVE-2013-0453)

USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and CVE-2012-2686 was reverted in USN-1732-2 because of a regression.
This update restores the security fix, and includes an extra fix from upstream to address the AES-NI regression. We apologize for the inconvenience.

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the 'Lucky Thirteen' issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.
(CVE-2013-0169).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0166 and CVE-2012-2686 introduced a regression causing decryption failures on hardware supporting AES-NI. This update temporarily reverts the security fix pending further investigation. We apologize for the inconvenience.

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the 'Lucky Thirteen' issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.
(CVE-2013-0169).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)

Stephen Henson discovered that OpenSSL incorrectly performed signature verification for OCSP responses. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2013-0166)

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the 'Lucky Thirteen' issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.
(CVE-2013-0169).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New openssl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues.

The version of OpenSSL installed on the remote host is prior to 1.0.1d. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.0.1d advisory.

  - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature     verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL     pointer dereference and application crash) via an invalid key. (CVE-2013-0166)

  - crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in     OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via     crafted CBC data. (CVE-2012-2686)

  - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and     other products, do not properly consider timing side-channel attacks on a MAC check requirement during the     processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and     plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky     Thirteen issue. (CVE-2013-0169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

OpenSSL security team reports :

A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a DoS attack.

A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.

ID	Name	Product	Family	Severity
79013	RHEL 6 : rhevm-spice-client (RHSA-2014:0416)	Nessus	Red Hat Local Security Checks	high
74902	openSUSE Security Update : openssl (openSUSE-SU-2013:0337-1)	Nessus	SuSE Local Security Checks	medium
74901	openSUSE Security Update : openssl (openSUSE-SU-2013:0336-1)	Nessus	SuSE Local Security Checks	high
71169	GLSA-201312-03 : OpenSSL: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
8008	Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004)	Nessus Network Monitor	Web Clients	critical
69878	Mac OS X Multiple Vulnerabilities (Security Update 2013-004)	Nessus	MacOS X Local Security Checks	critical
69877	Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
6868	OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	low
66270	IBM Tivoli Endpoint Manager Server < 8.2.1372 Multiple Vulnerabilities	Nessus	CGI abuses	medium
65684	Ubuntu 12.04 LTS / 12.10 : openssl vulnerability (USN-1732-3)	Nessus	Ubuntu Local Security Checks	medium
64968	Ubuntu 12.04 LTS / 12.10 : openssl regression (USN-1732-2)	Nessus	Ubuntu Local Security Checks	medium
64798	Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openssl vulnerabilities (USN-1732-1)	Nessus	Ubuntu Local Security Checks	medium
64535	Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : openssl (SSA:2013-040-01)	Nessus	Slackware Local Security Checks	medium
64534	OpenSSL 1.0.1 < 1.0.1d Multiple Vulnerabilities	Nessus	Web Servers	high
64488	FreeBSD : OpenSSL -- TLS 1.1, 1.2 denial of service (00b0d8cd-7097-11e2-98d9-003067c2616f)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-2686

high

Tenable Plugins

high

medium

high

high

critical

critical

critical

low

medium

medium

medium

medium

medium

high

medium