Debian DSA-288-1 : openssl - several vulnerabilities

high Nessus Plugin ID 15125

Synopsis

The remote Debian host is missing a security-related update.

Description

Researchers discovered two flaws in OpenSSL, a Secure Socket Layer (SSL) library and related cryptographic tools. Applications that are linked against this library are generally vulnerable to attacks that could leak the server's private key or make the encrypted session decryptable otherwise. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities :

CAN-2003-0147 OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key.
CAN-2003-0131 The SSL allows remote attackers to perform an unauthorized RSA private key operation that causes OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext.

Solution

Upgrade the openssl packages immediately and restart the applications that use OpenSSL.

For the stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.3.

For the old stable distribution (potato) these problems have been fixed in version 0.9.6c-0.potato.6.

Unfortunately, RSA blinding is not thread-safe and will cause failures for programs that use threads and OpenSSL such as stunnel. However, since the proposed fix would change the binary interface (ABI), programs that are dynamically linked against OpenSSL won't run anymore. This is a dilemma we can't solve.

You will have to decide whether you want the security update which is not thread-safe and recompile all applications that apparently fail after the upgrade, or fetch the additional source packages at the end of this advisory, recompile it and use a thread-safe OpenSSL library again, but also recompile all applications that make use of it (such as apache-ssl, mod_ssl, ssh etc.).

However, since only very few packages use threads and link against the OpenSSL library most users will be able to use packages from this update without any problems.

See Also

http://www.debian.org/security/2003/dsa-288

Plugin Details

Severity: High

ID: 15125

File Name: debian_DSA-288.nasl

Version: 1.26

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:2.2, p-cpe:/a:debian:debian_linux:openssl, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 4/17/2003

Vulnerability Publication Date: 3/19/2003

Reference Information

CVE: CVE-2003-0131, CVE-2003-0147

BID: 7101, 7148

CERT: 888801

DSA: 288