Multiple OpenSSL vulnerabilities (CVE-2016-2107 and CVE-2016-2108)

Description:

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107):

A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.

 

This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.

Memory corruption in the ASN.1 encoder (CVE-2016-2108):

This issue affected versions of OpenSSL prior to April 2015. The bug causing the vulnerability was fixed on April 18th 2015, and released as part of the June 11th 2015 security releases. The security impact of the bug was not known at the time. 

Other less critical OpenSSL vulnerabilities have been discovered and are explained here:

https://www.openssl.org/news/secadv/20160503.txt

More information per Operating system:

Please make sure to verify if patched version of OpenSSL has been released for your Operating system version before updating it.

Red Hat and CentOS:
https://access.redhat.com/security/cve/cve-2016-2107

https://access.redhat.com/security/cve/cve-2016-2108

Debian:

https://security-tracker.debian.org/tracker/CVE-2016-2107
https://security-tracker.debian.org/tracker/CVE-2016-2108

Ubuntu:

http://www.ubuntu.com/usn/usn-2959-1/ 

Resolution:

On CentOS and Red Hat Enterprise Linux :

Run:

yum clean all

yum update openssl

reboot

 

On Ubuntu and Debian

Run: 

sudo apt-get update

sudo apt-get install openssl

reboot

  

We suggest that you subscribe to your operating system notification system at the following URLs:

Red Hat - RHSA-announce (http://www.redhat.com/mailman/listinfo/rhsa-announce)

CentOS - CentOS-announce (https://lists.centos.org/mailman/listinfo/centos-announce)

Ubuntu - ubuntu-security-announce (https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce)

Debian - debian-security-announce (https://lists.debian.org/debian-security-announce/)

References:

https://www.openssl.org/news/secadv/20160503.txt

https://access.redhat.com/security/cve/cve-2016-2107

https://access.redhat.com/security/cve/cve-2016-2108

https://security-tracker.debian.org/tracker/CVE-2016-2107

https://security-tracker.debian.org/tracker/CVE-2016-2108

http://www.ubuntu.com/usn/usn-2959-1/

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk