SYNTHESIS OF THE VULNERABILITY

When OpenSSL supports the Kerberos key exchange, and when the server application is in a chroot jail, an attacker can send a

special ClientHello message, in order to stop the application.

Severity: 2/4

Consequences: denial of service of service

Provenance: internet client

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 04/03/2010

IMPACTED PRODUCTS

 OpenSSL

DESCRIPTION OF THE VULNERABILITY

A CipherSuite is a threefold :
 algorithm to exchange keys (RSA, DH, DHE, EllipCurveDH, Kerberos(RFC 2712))
 algorithm to encrypt data (RC4, 3DES, AES, IDEA, DES)
 algorithm to hash data, used for signature (HMAC-MD5, HMAC-SHA)

The SSL/TLS protocol uses the ClientHello message to indicate to the server the list of supported CipherSuites.

When OpenSSL supports the Kerberos key exchange, and when the server application is in a chroot jail, an attacker can send a ClientHello message, containing a CipherSuite TLS_KRB5_WITH_xyz. In this case, the Kerberos krb5_sname_to_principal() function returns a NULL pointer, which is dereferenced by OpenSSL kssl_keytab_is_available().

An attacker can therefore stop the TLS/SSL server.

CHARACTERISTICS

Identifiers: 567711, 569774, BID-38533, CVE-2010-0433, VIGILANCE-VUL-9493

http://vigilance.fr/vulnerability/O...