-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is this the same vunnerability that was announced about week ago, or a new one? Shaun George Heuston wrote: | |-----Original Message----- |From: nipc-daily-admin@private |[mailto:nipc-daily-admin@private] |Sent: Thursday, August 01, 2002 2:32 PM |To: NIPC-daily@private |Subject: [NIPC-daily] NIPC Advisory 02-007 OpenSSL Vulnerability | |Advisory 02-007 | |OpenSSL Vulnerability |July 31, 2002 | |The National Infrastructure Protection Center (NIPC) is issuing this |advisory to heighten the awareness of multiple buffer overflows in |OpenSSL (Open Secure Sockets Layer) version 0.9.6d or earlier and |0.97-beta2 or earlier. OpenSSL is a widely deployed, open source |implementation of the SSL and Transport Layer Security (TLS) protocols. |The SSL and TLS protocols are used to provide a secure connection |between a client and a server for higher level protocols. Exploitation |of these vulnerabilities may allow an attacker to execute arbitrary code |on a vulnerable server or client system. | |The Common Vulnerabilities and Exposures project (cve.mitre.org) has |assigned the following names to the identified vulnerabilities: | |(CAN-2002-0655) |OpenSSL versions 0.9.6d and earlier, and 0.9.7-beta2, experience several |buffer overflow vulnerabilities if running on 64-bit platforms. | |(CAN-2002-0656) |The session ID supplied to a client in SSLv3 could result in a buffer |overflow. | |(CAN-2002-0656) |A malformed key from an OpenSSL client to an OpenSSL-enabled server, |during the handshake, may result in an exploitable buffer overflow. | |(CAN-2002-0657). |Kerberos-enabled OpenSSL 0.9.7-beta2 servers have a buffer overflow on |the stack that may allow a remote attacker to execute arbitrary code. | |Description: | |OpenSSL is a software package that uses strong cryptography in |authentication systems, mail servers, and web servers. Affected |versions of OpenSSL include 0.9.6d or earlier and 0.9.7-beta2 or |earlier. While there have been no reported victims, the NIPC is issuing |this advisory to emphasize the significance of these vulnerabilities. |System administrators should be aware that attackers could exploit these |vulnerabilities to gain remote access which could provide the attacker |with the ability to take any action desired, such as installing |malicious code, running programs, reconfiguring, adding, changing, or |deleting files. Additional information may be found at the following sites: | |OpenSSL Security Advisory |http://www.openssl.org/news/secadv_20020730.html | |CERT Advisory CA-2002-23 |http://www.cert.org/advisories/CA-2002-23.html | |Red Hat |http://rhn.redhat.com/errata/RHSA-2002-155.html. | |Recommendation: | |The NIPC strongly urges the community to take recommended actions to |either apply patches from their vendors or consider upgrading to version |OpenSSL 0.9.6e, which according to the OpenSSL Project team contains |fixes for all the vulnerabilities reported on earlier. | |The NIPC encourages recipients of this advisory to report computer |intrusions to their local FBI office |(http://www.fbi.gov/contact/fo/fo.htm) and other appropriate |authorities. Recipients may report incidents online to |http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit |can be reached at (202) 323-3204/3205/3206 or nipc.watch@private | |~rm | | |_______________________________________________ |NIPC-daily mailing list |NIPC-daily@private |http://mailman.ops.nipc.gov/mailman/listinfo/nipc-daily | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - savages@private iD8DBQE9Sh+Ln6I06Opz+XURAiZ8AKCD3dJPeFPB3wb23ALTWi00ov9OoACdE4uW 4YRTesST1KxQ7A1Ou5p9Lo4= =1eIz -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 23:56:00 PDT