FreeBSD Security Advisory FreeBSD-SA-03:06.openssl
FreeBSD Security Advisories
security-advisories at freebsd.org
Fri Mar 21 12:52:41 PST 2003
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-03:06.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL timing-based SSL/TLS attack
Credits: Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
Affects: All FreeBSD versions prior to 4.6-RELEASE-p12,
Corrected: 2003-03-20 21:07:20 UTC (RELENG_4)
2003-03-21 16:12:34 UTC (RELENG_4_7)
2003-03-21 16:12:03 UTC (RELENG_4_6)
2003-03-21 16:13:06 UTC (RELENG_5_0)
FreeBSD only: NO
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
II. Problem Description
This advisory addresses two separate flaws recently fixed in OpenSSL:
(1) an RSA timing attack, and (2) the Klima-Pokorny-Rosa attack.
- - - From the OpenSSL Project advisories (see references):
(1) Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been
(2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on
RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.
Their attack requires the attacker to open millions of SSL/TLS
connections to the server under attack; the server's behaviour
when faced with specially made-up RSA ciphertexts can reveal
information that in effect allows the attacker to perform a single
RSA private key operation on a ciphertext of its choice using the
server's RSA key. Note that the server's RSA key is not
compromised in this attack.
RSA timing attack:
An RSA private key may be compromised.
A vulnerable server, when faced with specially made-up RSA
ciphertexts, can reveal information that in effect allows the
attacker to perform a single RSA private key operation on a
ciphertext of its choice using the server's RSA key. Note that the
server's RSA key is not compromised in this attack.
RSA timing attack:
Disable the use of RSA or enable RSA blinding in OpenSSL using the
RSA_blinding_on() function. The method of adjusting the list of
acceptable ciphersuites varies from application to application. See
the application's documentation for details.
Disable the use of ciphersuites which use PKCS #1 v1.5 padding in SSL
or TLS. The method of adjusting the list of acceptable ciphersuites
varies from application to application. See the application's
documentation for details.
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p9), RELENG_4_6 (4.6-RELEASE-p12), or RELENG_5_0
(5.0-RELEASE-p6) security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.6, 4.7,
and 5.0 systems which have already been patched for the issues resolved
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.
Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.
All affected applications must be restarted for them to use the
corrected library. Though not required, rebooting may be the easiest
way to accomplish this.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 >
<URL: http://eprint.iacr.org/2003/052/ >
<URL: http://www.openssl.org/news/secadv_20030317.txt >
<URL: http://www.openssl.org/news/secadv_20030319.txt >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)
Comment: FreeBSD: The Power To Serve
-----END PGP SIGNATURE-----
This is the moderated mailing list freebsd-announce.
The list contains announcements of new FreeBSD capabilities,
important events and project milestones.
See also the FreeBSD Web pages at http://www.freebsd.org
To Unsubscribe: send mail to majordomo at FreeBSD.org
with "unsubscribe freebsd-announce" in the body of the message
More information about the freebsd-announce