SA-C0056 Information About DROWN Vulnerability
Total Page:16
File Type:pdf, Size:1020Kb
Alcatel-Lucent Security Advisory No. SA-C0056 Ed. 01 Information about DROWN vulnerability Summary DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. The DROWN attack has been reported in March 1st 2016 allowing a remote attacker to execute harmful actions on a vulnerable server. A server is considered as vulnerable if - it allows SSLv2 connections or - it shares a public key with another vulnerable server allowing SSLv2 connections. The severity is considered as the same for Heartbleed and the official risk is currently rated High. The classification levels are Very High, High, Medium and Low. This vulnerability is identified under CVE-2016-0800 and is associated to seven other vulnerabilities affecting the OpenSSL library (CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799). The analysis of these vulnerabilities is followed with a particular attention since it concerns SSL and TLS cryptographic protocols that have been challenged these last years with Heartbleed and Poodle attacks A closer inspection reveals that the DROWN attack may be executed on a vulnerable server in under a minute using a single PC and the general variant of the attack can be conducted in under 8 hours. Alcatel-Lucent Enterprise voice products using affected version of OpenSSL 0.9.8, 1.0.0 and 1.0.1 are concerned by this security alert. However, although OpenSSL versions are affected, the protocol SSLv2 (as well as SSLv3) was removed in Alcatel-Lucent Enterprise voice products. OpenSSL 1.0.2 servers should upgrade to 1.0.2g OpenSSL 1.0.1 servers should upgrade to 1.0.1s The Alcatel-Lucent Enterprise Security Team is currently investigating implications of this security flaw and working on corrective measures. This note is for informational purpose about the DROWN vulnerability. References CVE-2016-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800 Advisory severity CVSS Base score : 5.8 (HIGH) - AV:N/AC:M/Au:N/C:P/I:P/A:N CVE-2016-0799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0799 Advisory severity CVSS Base score : 2.6 (LOW) - AV:N/AC:H/Au:N/C:N/I:N/A:P CVE-2016-0798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0798 Advisory severity CVSS Base score : 4.3 (LOW) - AV:N/AC:M/Au:N/C:N/I:N/A:P CVE-2016-0797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0797 Advisory severity CVSS Base score : 4.3 (LOW) - AV:N/AC:M/Au:N/C:N/I:N/A:P CVE-2016-0705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705 Advisory severity CVSS Base score : 2.6 (LOW) - AV:N/AC:H/Au:N/C:N/I:N/A:P CVE-2016-0704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0704 Advisory severity CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N CVE-2016-0703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703 Advisory severity CVSS Base score : 4.3 (MEDIUM) - AV:N/AC:M/Au:N/C:P/I:N/A:N CVE-2016-0702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702 Advisory severity CVSS Base score : 2.6 (LOW) - AV:L/AC:H/Au:N/C:P/I:P/A:N DROWN documentation references https://drownattack.com https://www.openssl.org/news/secadv/20160301.txt https://access.redhat.com/articles/2176731 Description of the vulnerabilities Information about DROWN attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. The DROWN attack has been reported in March 1st 2016 allowing a remote attacker to execute harmful actions on a vulnerable server. A server is considered as vulnerable if - it allows SSLv2 connections or - it shares a public key with another vulnerable server allowing SSLv2 connections. The severity is considered as the same for Heartbleed and the official risk is currently rated High. The classification levels are Very High, High, Medium and Low. This vulnerability is identified under CVE-2016-0800 and is associated to seven other vulnerabilities affecting the OpenSSL library. CVE-2016-0800 A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. CVE-2016-0799 The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. CVE-2016-0798 A memory leak flaw was found in the way OpenSSL performed SRP user database look-ups using the SRP_VBASE_get_by_user() function. A remote attacker connecting to certain SRP servers with an invalid user name could leak approximately 300 bytes of the server's memory per connection. CVE-2016-0797 An integer overflow flaw, leading to a NULL pointer dereference or a heap-based memory corruption, was found in the way some BIGNUM functions of OpenSSL were implemented. Applications that use these functions with large untrusted input could crash or, potentially, execute arbitrary code. CVE-2016-0705 A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash. CVE-2016-0704 It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle. CVE-2016-0703 It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non- zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle. CVE-2016-0702 A side-channel attack was found that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who has the ability to control code in a thread running on the same hyper-threaded core as the victim's thread that is performing decryption, could use this flaw to recover RSA private keys. Status on Alcatel-Lucent Enterprise products For supported products and extended support contracts on former versions, Alcatel-Lucent Enterprise will provide fixes. For unsupported products, please refer to official patch provided by the OS vendors depending on your OS version. Status on Alcatel-Lucent Enterprise products Products concerned by the DROWN vulnerability OpenTouch Edge Server Up to 2.1.1 OpenTouch Business Edition Up to 2.1.1 Notes: Include OT server and virtual machine of OmniPCX Enterprise Media Services OpenTouch Multimedia Services Up to 2.1.1 Notes: Include OT server and virtual machine of FlexLM OpenTouch Messaging Center Up to 2.1.1 Products NOT concerned by the DROWN vulnerability Alcatel-Lucent 8 Series IP Touch Phones Phased-out. Alcatel-lucent Premium Deskphones R210.3.20.41 and above 8002/8012 Deskphone R110.3.55.2 OmniTouch 8082 My IC Phone R300.1.15.9 and above 8088 Smart Deskphone R100.1.008.2 and above OpenTouch Connection 2.1.205.002 OpenTouch Conversation 2.1.105.003 OTC Web Not impacted since depend on OTC One the version of web browser OTC Meeting Manager 4059 IP attendant Not impacted 4059 EE IP attendant v1.6.1.6 and above OmniTouch 8460 Advanced Communications Server Note: concerns only standalone installation OmniTouch 8660 My Teamwork Unified Messaging OmniTouch 8670 Automated Message Delivery System Omnivista 8770 Network Management system R.2.6.7.01and above OpenTouch Messaging Center OT2.1.1 and above OpenTouch Fax Center 7.5.2.98 and above OpenTouch Session Border Controller R2.0 and 2.1.x Please, report to the FAQ OmniTouch Contact Center Standard Edition Not impacted OmniTouch 8400 Instant Communications Suite 6.7.400.300.d and above IP Touch Security Solution Not impacted Note: concerns only SIP-TLS OmniPCX Office Rich Communication Edition From R8.0 to above vmFlex 2.1.100.005 Solution for affected products Fixed Software Versions/Patches Product Fix in Date OpenTouch Edge Server Under investigation OpenTouch Business Edition 2.1.100.06x OT 2.1.1 MD2 (2.1.100.06x) will be Notes: available beg of June 2016 Include OT server and virtual machine of OmniPCX Enterprise Media Services OpenTouch Multimedia Services 2.1.100.06x OT 2.1.1 MD2 (2.1.100.06x) will be Notes: available beg of June 2016 Include OT server and virtual machine of FlexLM OpenTouch Messaging Center 2.1.100.06x OT 2.1.1 MD2 (2.1.100.06x) will be available beg of June 2016 Frequently Asked Questions Where can I find the release policy for ALE products? Release policy for ALE products is available on Alcatel-lucent Enterprise Business Portal https://businessportal.alcatel-lucent.com Where can I download ALE software patches? Software patches will be available on Alcatel-lucent Enterprise Business Portal https://businessportal.alcatel-lucent.com Are Red Hat OS releases on ICS servers supported by ALE? ALE does not provide any Operating System (OS) support for the ICS releases.