An OpenSource VooDoo cIRCle - security advisory 20091112-01


Persistent URL of this advisory is available at http://voodoo-circle.sourceforge.net/sa/sa-20091112-01.html

Summary

In Win32/64 binary releases there are vulnerable OpenSSL DLL files. All users ar encouraged to upgrade to the latest version.

In-depth

From Secunia's advisory at http://secunia.com/advisories/37291/:
---
Description:
A vulnerability has been reported in OpenSSL, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an error in the TLS protocol while handling session re-negotiations. This can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM) attacks.

Successful exploitation may allow e.g. sending an arbitrary HTTP request under an authenticated context if certificate-based authentication is used by the server.

Fixed in the CVS repository by disabling renegotiation support:
http://cvs.openssl.org/chngview?cn=18790

Provided and/or discovered by:
Independently discovered by Marsh Ray, PhoneFactor and Martin Rex.

Original Advisory:
Martin Rex:
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html

PhoneFactor:
http://extendedsubset.com/?p=8
---


OpenSSL project released library version 0.9.8l, which is including fixes in CVS repository, at http://cvs.openssl.org/chngview?cn=18790. VooDoo cIRCle version 1.1.38 binary distribution for Windows systems includes builds of OpenSSL version 0.9.8l, thus are not affected by this vulnerability.
All versions prior to 1.1.38 are affected by this security vulnerability. VooDoo cIRCle 1.1.38 binary relases for Win32/64 are not affected by this security vulnerability. Versions using older OpenSSL library, though on any platform, or custom builds, might be vulnerable, that is, both all oficially binary-distributed versions of VooDoo cIRCle prior to 1.1.38, and those linked against vulnerable OpenSSL library are affected by this vulnerability.

Special note

OpenSSL library version 0.9.8l protexts only secure listening server sockets. However, VooDoo cIRCle can act as a client as well, and library leaves secure client sockets uprotected.
See http://openssl.org/news/secadv_20091111.txt for more informations.
Thanks to Stefan Cornelius, Security Specialist at http://secunia.com/ for notifying me regarding this problem.

Workaround

There is no known workaround at this time.

Solution

Update to the latest version, VooDoo cIRCle 1.1.38, which is not vulnerable.

All Windows users using binary builds are strongly encouraged to download the latest version of VooDoo cIRCle.

Time line

2009-11-06 - Received notification about OpenSSL vulnerability from http://secunia.com/.
2009-11-12 - Release of VooDoo cIRCle 1.1.38, public disclosure - this advisory.

Cahngelog

2009-11-12 - Initial revision
2009-11-13 - Updated informations regarding client TLS socket connections: "Special note" section.

Legal notice

Some names used in this document may be registered trademarks of their respective owners.

Get VooDoo cIRCle at SourceForge.net. Fast, secure and Free Open Source software downloads