=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN477
_____________________________________________________________________

DATE                      : 24/11/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 10, OpenSolaris running OpenSSL.

======================================================================
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-273029-1
______________________________________________________________________

Security Vulnerability in the Transport Layer Security (TLS) and
Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake
Renegotiation Affects OpenSSL
  _________________________________________________________________

Category : Security
Release Phase : Workaround
Bug Id : 6898546, 6898539
Product : Solaris 10 Operating System
OpenSolaris
Date of Workaround Release : 19-Nov-2009

Security Vulnerability in the Transport Layer Security (TLS) and Secure
Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation
Affects OpenSSL


1. Impact

A security vulnerability in the Transport Layer Security (TLS) and
Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session
renegotiations affects OpenSSL (see openssl(5)). This issue may allow
a remote unauthenticated user with the ability to intercept and
control network traffic to perform man-in-the-middle (MITM) attack to
inject arbitrary plaintext at the beginning of the application
protocol stream, thus compromising the integrity of the communication.
This vulnerability does not allow one to decrypt the intercepted
network communication.
The exact nature of the impact of compromised data integrity depends
on the application making use of the OpenSSL libraries.
Sun acknowledges with thanks, Marsh Ray and Steve Dispensa of
PhoneFactor for bringing this issue to our attention.
This issue is also referenced in the following documents:

CVE-2009-3555 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
US-CERT VU#120541 at http://www.kb.cert.org/vuls/id/120541

2. Contributing Factors

This issue can occur in the following releases:
SPARC Platform
  * Solaris 10
  * OpenSolaris

x86 Platform
  * Solaris 10
  * OpenSolaris

Notes:

1. Solaris 8 is not impacted by this issue.

2. Solaris 9 does not ship with OpenSSL libraries which can be used
for application linking and is thus not impacted by this issue.
OpenSolaris distributions may include additional bug fixes above and
beyond the build from which it was derived.  The base build can be
derived as follows:
$ uname -v
snv_101

3. Symptoms

There are no predictable symptoms that would indicate the described
issue has occurred.

4. Workaround

Solaris Kernel SSL proxy module, KSSL (see ksslcfg(1M)) does not
support client renegotiation or rehandshake. Server applications which
use the KSSL module are not affected by this issue. KSSL may be used
to workaround the described issue in such applications.
The following Interim Security Relief (ISRs) is available from
http://sunsolve.sun.com/tpatches for the following release:
SPARC Platform
  * Solaris 10 IDR141981-01

IMPORTANT: These ISRs disable TLS session renegotiation. This may
affect applications which depend on renegotiation. It is advisable to
test these ISRs with applications that use OpenSSL libraries, before
deploying them for wider use.
Note: This document refers to one or more Interim Security Relief
(ISRs) which are designed to address the concerns identified herein.
Sun has limited experience with these (ISRs) due to their interim
nature. As such, you should only install the ISRs on systems meeting
the configurations described above. Sun may release full patches at a
later date, however, Sun is under no obligation whatsoever to create,
release, or distribute any such patch.

5. Resolution

A final resolution is pending completion for Solaris 10 and
OpenSolaris.

For more information on Security Sun Alerts, see Technical
Instruction ID 213557.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================