Two OpenSSL vulnerabilities fixed
Grossrinderfeld, 2004-03-18
Two OpenSSL vulnerabilities fixed. MonitorWare Agent and WinSyslog are all part of the
Adiscon MonitorWare product line. They use some shared components. All two
applications use the OpenSSL library in the SETP-Receiver
if SSL encryption is enabled. Two dll's are located in the product installation
directory for this reason. They are called ssleay32.dll and
libeay32.dll. Two vulnerabilities were discovered in openssl,
an implementation of the SSL protocol, using the Codenomicon TLS Test Tool.
Products & Product Versions Affected
All Versions of WinSyslog and MonitorWare Agent downloaded prior to 2004-03-20
are potentially vulnerable. However, they are only vulnerable if they are configured
to operate as SETP server AND use enryption for SETP. Otherwise, they are not
vulnerable because the code in question is never executed.
As of 2004-03-21, the download sets already contain the fix. Any customer who
downloaded the product before that date is advised to download the fix.
Please note that Adiscon EventReporter also uses the OpenSSL libraries, but only as a client.
As such, it is not vulnerable (it can not accept any malicious connections as it can not
accept any connections at all).
Solution
This zip-package contains the fixed dll's. To install
the fixed dll's, just copy them into the product installation directory and
restart the service (EventReporter, MonitorWare Agent or WinSyslog).
http://www.adiscon.org/download/monitorware-hotfix-2004-03-18.zip
More Information
If you want to know more about the two vulnerabilities,
you can find them in the following NISCC Vulnerability Advisory: http://www.uniras.gov.uk/vuls/2004/224012/index.htmand this OpenSSL advisory: http://www.openssl.org/news/secadv_20040317.txt
- CAN-2004-0079 - null-pointer assignment in the
do_change_cipher_spec() function. A remote attacker could perform a carefully
crafted SSL/TLS handshake against a server that used the OpenSSL library in
such a way as to cause OpenSSL to crash. Depending on the application this
could lead to a denial of service.
- CAN-2004-0081 - a bug in older versions of OpenSSL 0.9.6 that can lead to
a Denial of Service attack (infinite loop).
Reporting Security Issues
Adiscon believes in the value of working with security researchers. Any security
issue should please be reported to support@adiscon.com and it will receive immediate attention.
Receiving Advisories via EMail
Adiscon also provides product announcement mailing lists. These are of
low-volume and strictly technical. They will carry notifications about new
product versions, bug fixes and such. They will NOT be abused for marketing. GNU
Mailman is used for these mailing lists, so unsubscribing is always easy.
Advisories are also posted to our product announcement list. You can subscribe
below:
|
