Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Issue Alert

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue

 
Threat Type:IntelliShield: Security Issue Alert
IntelliShield ID:24893
Version:17
First Published:2012 January 06 14:37 GMT
Last Published:2013 June 06 15:15 GMT
Port: Not available
CVE:CVE-2011-4108
BugTraq ID:51281
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Apple has released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.
 
 
Description
OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text.

The issue exists because of an incorrect implementation of the Datagram Transport Layer Security (DTLS) protocol by the affected software. The affected versions of OpenSSL fail to verify the message authentication code (MAC) on packets that have been incorrectly cryptographically padded. The error could result in different timing in decrypting packets with valid and invalid padding information, allowing the attacker to guess certain plaintext information.

OpenSSL has confirmed this issue and released additional software updates. Previous updates introduced a regression error documented in IntelliShield Alert 24974.
 
Patches/Software
OpenSSL has released security advisories at the following links: DTLS Plaintext Recovery Attack and DTLS DoS Attack

OpenSSL has released updated software at the following links:
OpenSSL version 0.9.8t
OpenSSL version 1.0.0g
Apple has released a security update at the following link: HT5784

Apple has released updated software at the following links:

Mac OS X and Mac OS X Server 10.6.8
Security Update 2013-002 (Snow Leopard)
Security Update 2013-002 Server (Snow Leopard)

Mac OS X and Mac OS X Server 10.7.5
Security Update 2013-002 (Lion)
Security Update 2013-002 Server (Lion)

Mac OS X 10.8.4
OS X Mountain Lion Update 10.8.4
OS X Mountain Lion Update 10.8.4 (Combo)

CentOS packages can be updated using the up2date or yum command.

FreeBSD has released a VuXML document at the following link: openssl -- multiple vulnerabilities

FreeBSD releases ports collection updates at the following link: Ports Collection Index

HP has released security bulletins c03141193, c03383940, and c03360041 at the following links: HPSBUX02734 SSRT100729, HPSBOV02793 SSRT100891, and HPSBMU02786 SSRT100877

HP has released updated software at the following links:
OpenSSL A.00.09.08s for HP-UX
HP has released updated software at the following links:
IBM has released a security advisory at the following link: CVE-2011-4108

IBM has released a fix for registered users at the following link: AIX

MontaVista Software has released a security alert for registered users on October 11, 2012, at the following link: MontaVista Security Fixes

MontaVista Software has released updated software at the following links:
CGE 5.1
Mobilinux 5.0
Pro 5.0.24
Pro 5.0
Mobilinux 5.0.24
CGE 6.0
Oracle has released a security advisory at the following link: Multiple vulnerabilities in OpenSSL

Oracle has released updated software at the following link: 11/11 SRU 4a

Red Hat has released an official CVE statement and a security advisory for bug 771770 at the following links: CVE-2011-4108RHSA-2012:0059, RHSA-2012:0060, RHSA-2012:1306, RHSA-2012:1307, and RHSA-2012:1308.

Red Hat has released updated software for registered subscribers at the following link: Red Hat Network

Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

Red Hat has released security updates for registered users at the following links:

JBoss Enterprise Web Server 1.0.2
JBoss Enterprise Application Platform 5.1.2
JBoss Enterprise Application Platform 6.0.0

VMware has released a security advisory at the following link: VMSA-2012-0013

VMware has released updated software at the following links:

ESX 4.1
ESX410-201208101-SG

ESXi 4.1
ESXi410-201208101-SG

ESXi 5.0
ESXi-5.0.0-20121201001
 
Impact
The issue could allow plaintext recovery of information encoded in an arbitrary block of ciphertext, leading to disclosure of sensitive information. If successful, the attacker could launch further attacks.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to monitor affected systems.
 
Alert History
 

Version 16, December 21, 2012, 8:47 PM: VMware has re-released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 15, October 15, 2012, 7:11 AM: MontaVista Software has re-released a security alert and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 14, September 25, 2012, 4:29 PM: Red Hat has released additional security advisories and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 13, September 5, 2012, 2:53 PM: VMware has released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 12, August 28, 2012, 1:37 PM: MontaVista Software has released a security alert and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 11, June 29, 2012, 9:00 AM: HP has released an additional security bulletin and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 10, June 25, 2012, 5:11 PM: HP has released an additional security bulletin and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 9, April 5, 2012, 11:03 AM: Oracle has released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 8, March 23, 2012, 3:48 PM: IBM has released a security advisory and fixes to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 7, January 31, 2012, 9:59 AM: CentOS has released updated packages to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 6, January 25, 2012, 12:13 PM: Red Hat has released security advisories and updated packages to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue. CentOS has also released updated packages to address this issue.

Version 5, January 20, 2012, 4:27 PM: OpenSSL has released a security bulletin and updated software to address the regression error introduced as a result of a fix to the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 4, January 20, 2012, 1:27 PM: HP has released a security bulletin and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 3, January 17, 2012, 6:17 PM: FreeBSD has released a VuXML document and updated ports collection to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 2, January 11, 2012, 6:21 PM: Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 1, January 6, 2012, 9:37 AM: OpenSSL contains an issue that could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system. Updates are available.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
OpenSSLopenssl 0.9.8 Base | 0.9.8a Base | 0.9.8b Base | 0.9.8c Base | 0.9.8d Base | 0.9.8e Base | 0.9.8f Base | 0.9.8g Base | 0.9.8h Base | 0.9.8i Base | 0.9.8j Base | 0.9.8k Base | 0.9.8l Base | 0.9.8m Base | 0.9.8n Base | 0.9.8o Base | 0.9.8p Base | 0.9.8q Base | 0.9.8r Base | 0.9.8s Base | 1.0.0 Base | 1.0.0a Base | 1.0.0b Base | 1.0.0c Base | 1.0.0d Base | 1.0.0e Base

Associated Products:
AppleMac OS X 10.6.3 Base | 10.6.4 Base | 10.6.5 Base | 10.6.6 Base | 10.6.7 Base | 10.6.8 Base | 10.7.1 Base | 10.7.2 Base | 10.7.3 Base | 10.7.4 Base | 10.7.5 Base | 10.8 Base | 10.8.1 Base | 10.8.2 Base | 10.8.3 Base
AppleMac OS X Server 10.6.1 Intel, PPC | 10.6.2 Base | 10.6.3 Base | 10.6.4 Base | 10.6.5 Base | 10.6.6 Base | 10.6.7 Base | 10.6.8 Base | 10.7 Base | 10.7.1 Base | 10.7.2 Base | 10.7.3 Base | 10.7.4 Base | 10.7.5 Base
CentOS ProjectCentOS 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64 | 6 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64
FreeBSD ProjectFreeBSD 6.3 Base | 6.4 Base | 7.0 Base | 7.1 Base | 7.2 Base | 7.3 Base | 7.4 Base | 8.0 Base | 8.1 Base | 8.2 Base | 9.0 Base
HPHP SSL for OpenVMS 1.4 Base
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
HPSystem Management Homepage (SMH) 6.0.0 Base | 6.1 Base | 6.2 Base | 7.0 Base | 7.1 Base
IBMAIX 5.3 Base, .7.0, .7.1, .8, .9, .10, .11, .12 | 6.1 .0, .1, .2, .3, .4, .5, .6, .7 | 7.1 .0, .1
MontaVistaMontaVista Linux Professional 5.0, 5.0.24 | Mobilinux 5.0, 5.0.24 | CGE 5.1, 6.0
Oracle CorporationSolaris Express 11 2010.11
Red Hat, Inc.JBoss Enterprise Application Platform 5.1.2 Base | 6.0.0 Base
Red Hat, Inc.JBoss Enterprise Web Server 1.0 .2
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server AUS 6.2 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64 | 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation 5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node 6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server 6 IA-32, PPC, PPC 64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server EUS 6.2.z IA-32, PPC64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 6 IA-32, x86_64
VMware, Inc.VMware ESX Server 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base | 4.1 Base
VMware, Inc.VMware ESXi 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base | 4.1 Base | 5.0 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield