Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-147: OpenSSL 'dtls1_retrieve_buffered_fragment()' DTLS Packet Denial of Service Vulnerability

[CVE-2009-1379]

May 29, 2009 13:00 GMT
PROBLEM: OpenSSL is prone to a vulnerability that may allow attackers to cause denial-of-service conditions.
PLATFORM: OpenSSL Project OpenSSL 1.0 Beta2
ABSTRACT: Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash).
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-147.shtml
  OTHER LINKS: Vupen Security
http://www.vupen.com/english/advisories/2009/1377
Security Focus
http://www.securityfocus.com/bid/35138/info
Security Tracker
http://securitytracker.com/id?1022241
CVE: CVE-2009-1379
IMPACT ASSESSMENT: This risk is low. A user can consume excessive memory on the target system. 
[***** Start CVE-2009-1379 *****]

Discussion:
OpenSSL is prone to a vulnerability that may allow attackers to cause denial-of-service conditions. Use-after-free
vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote
attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS
packet, as demonstrated by a packet from a server that uses a crafted server certificate.

The first issue is caused due to DTLS records with future epochs being buffered without limitation, which could allow
attackers to exhaust all available memory resources, creating a denial of service condition.

The second vulnerability is caused by an error in the "dtls1_process_out_of_seq_message()" when handling DTLS messages,
which could allow attackers to exhaust all available memory resources, creating a denial of service condition.

The third issue is caused by an error in the "dtls1_retrieve_buffered_fragment()" function when processing certain DTLS
data, which could be exploited to crash a vulnerable client.

Solution:
OpenSSL Project retrieve_buffered_fragment.patch

http://rt.openssl.org/Ticket/Attachment/22142/10060/retrieve_buffered_ fragment.patch

Apply patches :

http://cvs.openssl.org/chngview?cn=18187

http://cvs.openssl.org/chngview?cn=18188

http://cvs.openssl.org/chngview?cn=18154

[***** End CVE-2009-1379 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788