Rapid7 Vulnerability & Exploit Database

RHSA-2003:062: Updated OpenSSL packages fix timing attack

Back to Search

RHSA-2003:062: Updated OpenSSL packages fix timing attack

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
03/03/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated OpenSSL packages are available that fix a potential timing-based attack.

OpenSSL is a commercial-grade, full-featured, and open source toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. An active attacker may be able to use timing observations to distinguish between two different error cases: cipher padding errors and MAC verification errors. Over multiple connections this can leak sufficient information to make it possible to retrieve the plaintext of a common, fixed block. In order for an attack to be sucessful, an attacker must be able to act as a man-in-the-middle to intercept and modify multiple connections, which all involve a common fixed plaintext block (such as a password), and have good network conditions that allow small changes in timing to be reliably observed. These erratum packages contain a patch provided by the OpenSSL group that corrects this vulnerability. Because server applications are affected by these vulnerabilities, we advise users to restart all services that use OpenSSL functionality or alternatively reboot their systems after installing these updates.

Solution(s)

  • redhat-upgrade-openssl
  • redhat-upgrade-openssl-devel
  • redhat-upgrade-openssl-perl
  • redhat-upgrade-openssl-python
  • redhat-upgrade-openssl095a
  • redhat-upgrade-openssl096

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;