The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2011:0677 advisory.

    OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)     and Transport Layer Security (TLS v1) protocols, as well as a     full-strength, general purpose cryptography library.

    A buffer over-read flaw was discovered in the way OpenSSL parsed the     Certificate Status Request TLS extensions in ClientHello TLS handshake     messages. A remote attacker could possibly use this flaw to crash an SSL     server using the affected OpenSSL functionality. (CVE-2011-0014)

    This update fixes the following bugs:

    * The openssl speed command (which provides algorithm speed measurement)     failed when openssl was running in FIPS (Federal Information Processing     Standards) mode, even if testing of FIPS approved algorithms was requested.
    FIPS mode disables ciphers and cryptographic hash algorithms that are not     approved by the NIST (National Institute of Standards and Technology)     standards. With this update, the openssl speed command no longer fails.
    (BZ#619762)

    * The openssl pkcs12 -export command failed to export a PKCS#12 file in     FIPS mode. The default algorithm for encrypting a certificate in the     PKCS#12 file was not FIPS approved and thus did not work. The command now     uses a FIPS approved algorithm by default in FIPS mode. (BZ#673453)

    This update also adds the following enhancements:

    * The openssl s_server command, which previously accepted connections     only over IPv4, now accepts connections over IPv6. (BZ#601612)

    * For the purpose of allowing certain maintenance commands to be run (such     as rsync), an OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable     has been added. When a system is configured for FIPS mode and is in a     maintenance state, this newly added environment variable can be set to     allow software that requires the use of an MD5 cryptographic hash algorithm     to be run, even though the hash algorithm is not approved by the FIPS-140-2     standard. (BZ#673071)

    Users of OpenSSL are advised to upgrade to these updated packages, which     contain backported patches to resolve these issues and add these     enhancements. For the update to take effect, all services linked to the     OpenSSL library must be restarted, or the system rebooted.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 6 : openssl (RHSA-2011:0677)

critical Nessus Plugin ID 54599

Version 1.21