On Tue, Nov 30, 2004, Andrew Kraslavsky wrote: > Howdy, > > To test the security of my proprietary HTTPS server, built with OpenSSL > library version 0.9.7d, I ran Nessus version 2.2 against it and it reported > the following alert (as issued by Nessus plug-in ID 11875, described at: > http://cgi.nessus.org/plugins/dump.php3?id=11875 ): > > ---------------------------------------- > The remote host seem to be running a version of OpenSSL which is older than > 0.9.6k or 0.9.7c. > > There is a heap corruption bug in this version which might be exploited by > an > attacker to gain a shell on this host. > > Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c > or newer > Risk factor : High > ---------------------------------------- > > However, as mentioned above, the version of OpenSSL I am using is in fact > newer than what Nessus suggests it to be (although just barely newer than > 0.9.7c). > > ---> My question is, why does Nessus report this alert and, gulp, should I > be worried about the associated “shell access” possibility? > > More specifically, does this mean that one of the ASN.1 parsing problems > described in CAN-2003-0543, CAN-2003-0544, and CAN-2003-0545 occurred > somewhere in the OpenSSL library? > > Also, I am not sure if this matters or not, but my HTTPS server does not > require clients to provide their certificates so at server initialization > time I invoke (among the other various start up calls): > > SSL_CTX_set_verify( sslCtx, SSL_VERIFY_NONE, NULL ); > > As I am about to release my product, I do not want to update the version of > the OpenSSL library I am using but, of course, if there is a legitimate > security concern here I will have to do so. > > Any help and advice you can provide would be greatly appreciated. >
None of those ASN1 parsing problems have a known exploit AFAIK and the nature of them would make it difficult to do so. However they can be used for nasty DoS attacks on servers, even those which don't request client certificates so using a later versioin is advisable. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
