Two OpenSSL vulnerabilities fixed
Two OpenSSL vulnerabilities fixed. MonitorWare Agent and WinSyslog are all part of the Adiscon MonitorWare product line. They use some shared components. All two applications use the OpenSSL library in the SETP-Receiver if SSL encryption is enabled. Two dll’s are located in the product installation directory for this reason. They are called ssleay32.dll and libeay32.dll. Two vulnerabilities were discovered in openssl, an implementation of the SSL protocol, using the Codenomicon TLS Test Tool.
Products & Product Versions Affected
All Versions of WinSyslog and MonitorWare Agent downloaded prior to 2004-03-20 are potentially vulnerable. However, they are only vulnerable if they are configured to operate as SETP server AND use enryption for SETP. Otherwise, they are not vulnerable because the code in question is never executed. As of 2004-03-21, the download sets already contain the fix. Any customer who downloaded the product before that date is advised to download the fix.
Please note that Adiscon EventReporter also uses the OpenSSL libraries, but only as a client. As such, it is not vulnerable (it can not accept any malicious connections as it can not accept any connections at all).
This zip-package contains the fixed dll’s. To install the fixed dll’s, just copy them into the product installation directory and restart the service (EventReporter, MonitorWare Agent or WinSyslog).
If you want to know more about the two vulnerabilities, you can find them in the following NISCC Vulnerability Advisory: http://www.uniras.gov.uk/vuls/2004/224012/index.htmand this OpenSSL advisory: http://www.openssl.org/news/secadv_20040317.txt
- CAN-2004-0079 – null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service.
- CAN-2004-0081 – a bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop).
Reporting Security Issues
Adiscon believes in the value of working with security researchers. Any security issue should please be reported to firstname.lastname@example.org and it will receive immediate attention.
Receiving Advisories via EMail
Adiscon also provides product announcement mailing lists. These are of low-volume and strictly technical. They will carry notifications about new product versions, bug fixes and such. They will NOT be abused for marketing. GNU Mailman is used for these mailing lists, so unsubscribing is always easy. Advisories are also posted to our product announcement list. You can subscribe below:
- For EventReporter please subscribe at:
- For MonitorWare Agent please subscribe at:
- For WinSyslog please subscribe at: