Hotfix for multiple OpenSSL vulnerabilities (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470)
Posted by , Last modified by Michael Filip on 08 July 2014 09:13 AM
OpenSSL advisory posted June 5th lists multiple OpenSSL vulnerabilities which have been addressed in OpenSSL 1.0.1h. Customers are advised to download and upgrade to the latest version of IceWarp, which includes includes OpenSSL 1.0.1h starting from IceWarp Server 22.214.171.124 released on June 30, or any later version:
Hotfixes for older versions and full issue description is provided below.
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and a vulnerable server.
IceWarp Server 10.4.x and 11.0.x <= 126.96.36.199 are affected.
Anonymous ECDH denial of service (CVE-2014-3470)
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
IceWarp Server 10.4.x and 11.0.x <= 188.8.131.52 are affected if ECDH ciphers are enabled.
DTLS recursion flaw (CVE-2014-0221)
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
IceWarp Server is not affected, it does not act as a DTLS client.
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
IceWarp Server is not affected, it does not act as a DTLS client or server.
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
IceWarp Server is not affected.
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
IceWarp Server is not affected.
Updated OpenSSL libraries which correct all CVEs regardless of applicability to IceWarp Server are available as a hotfix for the currently supported releases. The fixed OpenSSL libraries are attached to this KB article and you may find them bellow. We recommend users of prior versions upgrade to a currently supported release and apply the hotfix.
Do the following to apply the hotfix: