Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R6] OpenSSL '20150319' Advisory Affects Tenable Products

High

Synopsis

Nessus is potentially impacted by seven vulnerabilities in OpenSSL that were recently disclosed and fixed.

  • OpenSSL contains an invalid read flaw in the ASN1_TYPE_cmp() function in crypto/asn1/a_type.c that is triggered when an attempt is made to compare ASN.1 boolean types. This may allow a context-dependent attacker to crash an application linked against the library. (CVE-2015-0286)
  • OpenSSL contains a flaw in the ASN1_item_ex_d2i() function in crypto/asn1/tasn_dec.c. The issue is triggered as user-supplied input is not properly validated when reusing a structure in ASN.1 parsing. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code in an application linked against the library. (CVE-2015-0287)
  • OpenSSL contains a NULL pointer dereference flaw in the PKCS#7 parsing code that is triggered when handling missing outer ContentInfo. This may allow an attacker to cause a denial of service in an application linked against the library. (CVE-2015-0289)
  • OpenSSL contains a flaw that is triggered when handling a specially crafted SSLv2 CLIENT-MASTER-KEY message. This may allow a malicious client to cause an application linked against the library to abort. (CVE-2015-0293)
  • OpenSSL contains a NULL pointer dereference flaw in the X509_to_X509_REQ() function in crypto/x509/x509_req.c. With a specially crafted X.509 certificate, an attacker can crash an application linked against the library. (CVE-2015-0288)
  • OpenSSL contains a use-after-free condition in the d2i_ECPrivateKey() function in crypto/ec/ec_asn1.c that is triggered when encountering certain errors. This may allow a remote attacker to dereference or free already freed memory, crashing an application linked against the library. (CVE-2015-0209)
  • OpenSSL contains a flaw that is triggered when handling RSA temporary keys in a non-export RSA key exchange ciphersuite. This may allow a remote attacker to downgrade the security of a session to use EXPORT_RSA ciphers, which are significantly weaker than non-export ciphers. This may allow a man-in-the-middle attacker to more easily break the encryption and monitor or tamper with the encrypted stream. This issue has been dubbed 'FREAK'. (CVE-2015-0204)
  • OpenSSL contains a flaw that is triggered as the program accepts non-DER-variations of certificate signature algorithm and signature encodings. Due to the program not enforcing a match between signature algorithm for signed and unsigned portions of the signature, a remote attacker can modify the contents of the signature algorithm or encoding of the signature and change a certificate's fingerprint. This may allow the attacker to bypass certain features, such as certificate blacklists, of custom applications that rely on fingerprint uniqueness. (CVE-2014-8275)
  • OpenSSL contains an integer underflow condition in the EVP_DecodeUpdate() function in crypto/evp/encode.c that is triggered as Base64 encoded input is not properly validated when decoding. This may allow an attacker to cause a buffer overflow, crashing an application linked against the library or potentially execute arbitrary code. (CVE-2015-0292)

Notes and caveats:

  • Note that the associated CVSSv2 score represents the highest scored of the seven issues.
  • Nessus is affected by CVE-2015-0204, CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0293.
  • The Tenable Appliance is affected by CVE-2015-0204, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2014-8275, and CVE-2015-0292.
  • SecurityCenter is affected by CVE-2015-0286
  • Tenable strongly recommends that products be installed on a subnet that is not Internet addressable.

Solution

Tenable has updated the product to address this issue. Please see the instructions below:

Nessus:

Tenable has released version 5.2.9 and 6.3.4 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0r), which is not affected.

To update your Nessus installation, follow these steps:
1. Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200)
2. Stop the Nessus service.
3. Install according to your operating system procedures.
4. Restart the Nessus service.

SecurityCenter:

Tenable has released patches for supported versions of SecurityCenter. This version bundles an updated OpenSSL library that is not affected. The patch can be obtained from:

https://support.tenable.com/support-center/index.php?x=&mod_id=160

File                                        md5sum
SC-201504.1-rh5-32.tgz  3f214b567df7dd91d4e9a951a2f45724
SC-201504.1-rh5-64.tgz  704705fe5c4e1cb3e48a3ab51eb77670
SC-201504.1-rh6-32.tgz  e13c0ffd61387b122c8e4057fa6b6f9d
SC-201504.1-rh6-64.tgz  579af7fde29505178da869fefef5dbd5

Tenable Appliance:

Tenable has released version 3.4.0 that corresponds to the supported operating systems and architectures. This version bundles an updated OpenSSL library that is not affected.

File                                        md5sum                                    SHA1 sum
TenableAppliance-3.4.0-5-update.tar                    4568541b0e36f649354c6aa05fa13366                                  dc2a6087f375f444859d35678dc779947189fc9e

This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TNS-2015-04
Risk Factor: High
CVSSv2 Base / Temporal Score
7.9 / 5.8
CVSSv2 Vector:
(AV:A/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Additional Keywords:
FREAK

Affected Products

Nessus: 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.3.0, 6.3.1, 6.3.2
Tenable Appliance: 3.2.0, 3.3.1
SecurityCenter: 4.6.0, 4.6.1, 4.6.2, 4.6.2.2, 4.7.0, 4.7.1, 4.8.0, 4.8.1, 4.8.2

Disclosure Timeline

2015-01-06 - Disclosure of 'FREAK'
2015-03-16 - Disclosure of 5 Additional OpenSSL Vulns
2015-03-19 - OpenSSL 1.0.0r Available
2015-03-30 - Nessus Upgrade Available

Advisory Timeline

2015-03-30 - [R1] Initial release
2015-04-13 - [R2] Tenable Appliance information added (includes 2 additional CVEs)
2015-04-14 - [R3] SecurityCenter information added, correction to description
2016-03-03 - [R4] Title standardization
2016-11-17 - [R5] Adjust CVSSv2 score
2017-02-28 - [R6] Adjust CVSS for worst-case scenario (AV:A -> AV:N)