[Ach] Issue with OpenSSL >0.9.8l

Leon Letto leon at vectronic.ca
Fri Apr 25 18:24:15 CEST 2014 

Hi Everyone,

Sorry to ask for clarification but I am a bit confused about this
vulnerability.  Is it something I should be sending out to my coworkers
since almost all of them use Mac computers?

I prepared an e-mail piecing together what I think I should tell them but
if this is totally off base then I should not send it until there is
something official I guess.   Please take a look and see if this makes
sense to send out?

Leon

___  Message Start ____

The following is from multiple e-mails which were sent out this morning
from the guys at bettercrypto.org and others.  All versions of OSX are
affected (as well as debian and EL5 Linux) unless you have updated to
1.0.1g which is the latest version.

I didn’t send it out to everyone because it only affects people who are
using OpenSSL on their systems I think (not sure) like developers or
others’s who are playing with crypto and servers running affected OS's.  I
think IT needs to evaluate how many people it affects and if its worth
getting everyone to do the fix (install Homebrew and install the latest
OpenSSL. - instructions are at the bottom / Compile from Source)  or wait
for Apple?

Leon


This is an Issue with missing cypher suites in OpenSSL all the way back to
0.9.8 and all newer.

https://github.com/puppetlabs/puppet/pull/2494#issuecomment-41351666

The OpenSSL 0.9.8 tree is entirely affected as are 0.9.7 versions that
appeared later than 0.9.7m.

This has been reproduced on debian squeeze and affects EL5 as well as ALL
versions of OS X up to and including the current Mavericks.

Eg.

$ /usr/bin/openssl version

OpenSSL 0.9.8y 5 Feb 2013


Expanding Ciphersuite B results in:

$ /usr/bin/openssl ciphers
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

AES256-SHA:AES128-SHA

Unexpectedly, DHE ciphers are missing.


This is the latest version:

$ /opt/local/bin/openssl version

OpenSSL 1.0.1g 7 Apr 2014

$ /opt/local/bin/openssl ciphers
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
’

DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA


PROBABLE FIX:

If one is using homebrew, the existing OS X openssl lib can be overwritten:

$ openssl version

OpenSSL 0.9.8y 5 Feb 2013

$ brew install openssl

$ brew link --force openssl

open a new terminal (tab)

$ openssl version

OpenSSL 1.0.1g 7 Apr 2014

For sure it should be fixed by Apple, but that can take time …

____  Message End ______


-- 
Leon Letto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140425/eabec723/attachment.html>

More information about the Ach mailing list