Changes between Initial Version and Version 1 of VulnerabilitiesFixedInOpenSSL1.0.1m


Ignore:
Timestamp:
03/26/15 10:15:38 (9 years ago)
Author:
Samuli Seppänen
Comment:

VulnerabilitiesFixedInOpenSSL1.0.1m is now "ready"

Legend:

Unmodified
Added
Removed
Modified
  • VulnerabilitiesFixedInOpenSSL1.0.1m

    v1 v1  
     1= Introduction =
     2
     3On 19th March 2015 the OpenSSL project made a new release which [https://www.openssl.org/news/secadv_20150319.txt fixed a number of security vulnerabilities]. This page discussed the impact of those vulnerabilities to OpenVPN. The content on this page is mostly taken from an [http://thread.gmane.org/gmane.network.openvpn.user/35653 email thread] on openvpn-user mailing list (thanks Steffan!).
     4
     5= Vulnerabilities that may affect OpenVPN =
     6
     7Depending on your configuration and OpenSSL version used, the following advisories from the list can apply to OpenVPN setups:
     8
     9* Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
     10* Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
     11* ASN.1 structure reuse memory corruption (CVE-2015-0287)
     12* Base64 decode (CVE-2015-0292)
     13* Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
     14  * OpenVPN 2.3, the current version, does not support EC certs yet. Note however that the git master branch *does*.
     15
     16The following vulnerabilities affect OpenSSL 1.0.2 only, which is quite new and not yet used very often. Moreover, the official OpenVPN Windows installers bundle OpenSSL 1.0.1, which is not vulnerable:
     17
     18* Multiblock corrupted pointer (CVE-2015-0290)
     19* OpenSSL 1.0.2 !ClientHello sigalgs DoS (CVE-2015-0291)
     20* Segmentation fault for invalid PSS parameters (CVE-2015-0208)
     21* Empty CKE with client auth and DHE (CVE-2015-1787)
     22
     23= Vulnerabilities that do not affect OpenVPN =
     24
     25The following do *not* apply to OpenVPN:
     26
     27* Segmentation fault in DTLSv1_listen (CVE-2015-0207)
     28 * OpenVPN does not use DTLS
     29* PKCS7 NULL pointer dereferences (CVE-2015-0289)
     30 * TLS does not use PKCS!#7
     31* DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
     32 * OpenVPN only does TLSv1.0+
     33* Handshake with unseeded PRNG (CVE-2015-0285)
     34 * OpenVPN manually seeds the PRNG
     35* X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
     36 * OpenVPN, nor the OpenSSL ssl functions call X509_to_X509_REQ()
     37
     38= Mitigating factors =
     39
     40Use of TLS auth keys offers good protection against these vulnerabilities.