An OpenSource VooDoo cIRCle - security advisory 20091012-01

Persistent URL of this advisory is available at http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html

Summary

In Win32/64 binary releases there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.

In-depth

From Secunia's advisory at http://secunia.com/advisories/35128/:
---
Description:
Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets.

2) An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages.

3) A use-after-free error in the "dtls1_retrieve_buffered_fragment()" function can be exploited to cause a crash in a client context.

4) An error in the "dtls1_process_out_of_seq_message()" function can be exploited to crash a DTLS server via a specially crafted out of sequence DTLS packet.
---

See vendor's advisories:

http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest

http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest

http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest

http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest

All versions prior to 1.1.37 are affected by these security vulnerabilities. VooDoo cIRCle 1.1.37 binary relases for Win32/64 are not affected by these security vulnerabilities. Versions using older OpenSSL library, though on any platform, or custom builds, are vulnerable, that is, both all binary-distributed versions of VooDoo cIRCle prior to 1.1.37, and those linked against vulnerable OpenSSL library are affected by these vulnerabilities.

Binary builds of VooDoo cIRCle project for both Win32 and x64 contain OpenSSL library from CVS snapshot taken from ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-20091010.tar.gz, that is, as of 2009-10-10 retrieved the same day.

Workaround

There is no known workaround at this time.

Solution

Update to the latest version, VooDoo cIRCle 1.1.37, which is not vulnerable.

Since OpenSSL maintainers does not take security vulnerabilities seriously, from 16th May 2009 they have not released fixed source code. These four vulnerabilities are only fixed in CVS so far (!). It is recommended to download snapshot of CVS repository of "branch" version 0.9.8-stable from vendor's site at ftp://ftp.openssl.org/snapshot/, and build the library yourself.
All Windows users using binary builds are strongly encouraged to download the latest version of VooDoo cIRCle.

Time line

2009-05-18 - Received notification about four OpenSSL vulnerabilities from http://secunia.com/.
2009-10-12 - Release of VooDoo cIRCle 1.1.37, public disclosure - this advisory.

Cahngelog

2009-10-12 - Initial revision

Legal notice

Some names used in this document may be registered trademarks of their respective owners.
Get VooDoo cIRCle at SourceForge.net. Fast, secure and Free Open Source software downloads