OpenSSL CMS code execution (Content_CMS_OpenSSL_Exec)

About this signature or vulnerability

IBM Security Host Protection for Desktops, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware, Proventia Network IPS, IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This signature detects a Cryptographic Message Syntax (CMS) request of type Enveloped-Data containing an 'OriginatorInfo' element that may allow remote code execution on a system running OpenSSL with CMS enabled. Note that the only known public exploit is distinguished by ASN.1 indefinite length syntax and is caught by default, but the vulnerability can occur with or without usage of ASN.1 indefinite length. Because the vulnerability can occur on a valid CMS message, the signature does not trigger by default unless usage of ASN.1 indefinite length is observed. To trigger when the vulnerability sequence occurs without usage of ASN.1 indefinite sequence, set pam.cms.trigger.without.indefinite.length to 'true'.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Desktops: 2730, Proventia Network IDS: XPU 32.020, Proventia-G 1.1 and earlier: XPU 32.020, Proventia Network MFS: XPU 32.020, Proventia Server IPS for Linux technology: 32.020, Virtual Server Protection for Vmware: XPU 32.020, Proventia Network IPS: XPU 32.020, IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Servers (Windows): 2.1.14.2730, RealSecure Server Sensor: XPU 32.020

Systems affected

Kolab Kolab Server: 2.0.0, OpenSSL OpenSSL: 0.9.8h, BalaBit syslog-ng: 2.0.9 Premium, BalaBit syslog-ng: 2.0.6 Premium, BalaBit syslog-ng: 2.0.5 Premium, BalaBit syslog-ng: 2.0.4 Premium, BalaBit syslog-ng: 2.0.3 Premium, BalaBit syslog-ng: 2.0.2 Premium, BalaBit syslog-ng: 2.0.1 Premium, Kolab Kolab Server: 2.1, Kolab Kolab Server: 2.2, VooDoo cIRCLe: 1.1.x, OpenSSL OpenSSL: 0.9.8i, OpenSSL OpenSSL: 0.9.8j, OpenSSL OpenSSL: 0.9.8k, VooDoo cIRCLe Xtelnet: 0.4.3, OpenSSL OpenSSL: 0.9.8l, OpenSSL OpenSSL: 0.9.8m, OpenSSL OpenSSL: 1.0.0, BlueCoat Reporter: 9.2.3.1, BlueCoat Reporter: 9.1.5.1, BlueCoat Reporter: 8.3.7.1, IBM Sterling Connect Enterprise for UNIX: 2.4, IBM Sterling Connect Enterprise for UNIX: 2.5, IBM Sterling Connect Enterprise for UNIX: 1.4, IBM Sterling Connect Enterprise for UNIX: 1.5, IBM Netcool System Service Monitor: 4.0

Type

Unauthorized Access Attempt

Vulnerability description

OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an error when handling CMS (Cryptographic Message Syntax) structures. If CMS is enabled, a remote attacker could exploit this vulnerability using a specially-crafted CMS structure containing an "OriginatorInfo" element to trigger a double-free or a write to invalid memory addresses to execute arbitrary code on the system.

How to remove this vulnerability

Upgrade to the latest version of OpenSSL (0.9.8o or 1.0.0a or later), available from the OpenSSL Web site. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

OpenSSL Security Advisory [01-Jun-2010]
Two security flaws have been fixed in OpenSSL 0.9.8o and OpenSSL 1.0.0a
http://www.openssl.org/news/secadv_20100601.txt

OpenSSL Web site
OpenSSL
http://www.openssl.org/

An OpenSource VooDoo cIRCle - security advisory 20100624-01
In Win32/64 binary releases there are vulnerable OpenSSL DLL files
http://voodoo-circle.sourceforge.net/sa/sa-20100624-01.html

An OpenSource VooDoo cIRCle - security advisory 20100624-02
In Win32 binary release of sub-project XTelnet there are vulnerable OpenSSL DLL files
http://voodoo-circle.sourceforge.net/sa/sa-20100624-02.html

Kolab Web Site
Kolab Server 2.2 Release Notes
http://files.kolab.org/server/release/kolab-server-2.2.4/sources/release-notes.txt

SA50
Multiple SSL/TLS vulnerabilities in Reporter
https://kb.bluecoat.com/index?page=content&id=SA50

BalaBit Web site
syslog-ng Premium Edition 3.0.6a has been released
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html

BalaBit Web site
syslog-ng Premium Edition 3.2.1a has been released
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html

IBM Security Bulletin 1627934
IBM Sterling Connect:Enterprise for UNIX is affected by multiple vulnerabilities in OpenSSL
http://www-01.ibm.com/support/docview.wss?uid=swg21627934

IBM Security Bulletin 1633107
IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL
http://www-01.ibm.com/support/docview.wss?uid=swg21633107

IBM Security Bulletin 1637929
IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by multiple OpenSSL vulnerabilities
http://www-01.ibm.com/support/docview.wss?uid=swg21637929

ISS X-Force
OpenSSL CMS code execution
http://www.iss.net/security_center/static/59039.php

CVE
CVE-2010-0742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0742