Subject: [ASA-201712-11] lib32-openssl-1.0: multiple issues

Arch Linux Security Advisory ASA-201712-11
==========================================

Severity: Medium
Date    : 2017-12-17
CVE-ID  : CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738
Package : lib32-openssl-1.0
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-480

Summary
=======

The package lib32-openssl-1.0 before version 1.0.2.n-1 is vulnerable to
multiple issues including information disclosure, private key recovery
and denial of service.

Resolution
==========

Upgrade to 1.0.2.n-1.

# pacman -Syu "lib32-openssl-1.0>=1.0.2.n-1"

The problems have been fixed upstream in version 1.0.2.n.

Workaround
==========

None.

Description
===========

- CVE-2017-3735 (denial of service)

A security issue has been found in OpenSSL < 1.1.0g. If an X.509
certificate has a malformed IPAddressFamily extension, OpenSSL could do
a one-byte buffer overread. The most likely result would be an
erroneous display of the certificate in text format.

- CVE-2017-3736 (information disclosure)

A carry propagation bug has been found in OpenSSL < 1.1.0g in the
x86_64 Montgomery squaring procedure. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX
extensions like Intel Broadwell (5th generation) and later or AMD
Ryzen.

- CVE-2017-3737 (information disclosure)

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
state" mechanism. The intent was that if a fatal error occurred during
a handshake then OpenSSL would move into the error state and would
immediately fail if you attempted to continue the handshake. This works
as designed for the explicit handshake functions (SSL_do_handshake(),
SSL_accept() and SSL_connect()), however due to a bug it does not work
correctly if SSL_read() or SSL_write() is called directly. In that
scenario, if the handshake fails then a fatal error will be returned in
the initial function call. If SSL_read()/SSL_write() is subsequently
called by the application for the same SSL object then it will succeed
and the data is passed without being decrypted/encrypted directly from
the SSL/TLS record layer. In order to exploit this issue an application
bug would have to be present that resulted in a call to
SSL_read()/SSL_write() being issued after having already received a
fatal error.

- CVE-2017-3738 (private key recovery)

There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC algorithms
are affected. Analysis suggests that attacks against RSA and DSA as a
result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH1024 are considered just feasible,
because most of the work necessary to deduce information about a
private key may be performed offline. The amount of resources required
for such an attack would be significant. However, for an attack on TLS
to be meaningful, the server would have to share the DH1024 private key
among multiple clients, which is no longer an option since
CVE-2016-0701.

Impact
======

A remote attacker can cause a denial of service via a crafted X.509
certificate. Furthermore a remote attacker with online access to an
unpatched system on a vulnerable architecture can access sensitive
information like a private key.

References
==========

https://www.openssl.org/news/vulnerabilities.html#2017-3735
https://www.openssl.org/news/secadv/20170828.txt
https://github.com/openssl/openssl/commit/b23171744b01e473ebbfd6edad70c1c3825ffbcd
https://www.openssl.org/news/vulnerabilities.html#2017-3736
https://www.openssl.org/news/secadv/20171102.txt
https://github.com/openssl/openssl/commit/668a709a8d7ea374ee72ad2d43ac72ec60a80eee
https://www.openssl.org/news/vulnerabilities.html#2017-3737
https://www.openssl.org/news/secadv/20171207.txt
https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc
https://www.openssl.org/news/vulnerabilities.html#2017-3738
https://github.com/openssl/openssl/commit/5630661aecbea5fe3c4740f5fea744a1f07a6253
https://security.archlinux.org/CVE-2017-3735
https://security.archlinux.org/CVE-2017-3736
https://security.archlinux.org/CVE-2017-3737
https://security.archlinux.org/CVE-2017-3738