__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN RSA BSAFE SSL-J 3.x Vulnerability [RSA Security Bulletin, September 2001] September 12, 2001 23:00 GMT Number L-141 ______________________________________________________________________________ PROBLEM: A vulnerability exists in the RSA BSAFE SSL-J 3.x Software Development Kit that allows SSL sessions to open without authentication of the remote user. Any software that uses this library to create encrypted SSL sessions with remote users is vulnerable. Unauthenticated users may get access to these systems. PLATFORM: Any software package that was developed with the RSA BSAFE SSL-J Software Development Kit libraries versions 3.0, 3.0.1, and 3.1. Programs developed with these libraries: Cisco: iCDN 2.0 (Internet Content Distribution Network) DAMAGE: Remote users could get unauthenticated access to a system through the encrypted SSL link. SOLUTION: Developers using RSA BSAFE SSL_J 3.x libraries should apply the patches or upgrade to version 3.1.1 of the library. Users of CISCO iCDN 2.0 should upgrade to version 2.0.1 ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Unauthenticated users may gain access to a ASSESSMENT: system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-141.shtml ORIGINAL BULLETIN: RSA: http://www.rsasecurity.com/products/bsafe/ bulletins/BSAFE_SSL-J_3.x.SecurityBulletin.html CISCO: http://www.cisco.com/warp/public/707/ SSL-J-pub.html PATCHES: RSA BSAFE SSL-J 3.x Patches and Updates Guide to Updating RSA BSAFE SSL-J 3.x Toolkits http://www.rsasecurity.com/products/bsafe/bulletins /Guide_to_Updating_SSL-J_3.x_Toolkits.pdf Binary and Source Code Security Patches for RSA BSAFE SSL-J 3.1 https://www.rsasecurity.com.au/download /sslj-patch/3.1/index.html Binary Security Patch for RSA BSAFE SSL-J 3.0.1 http://www.rsasecurity.com/products/bsafe/bulletins /patches/sslj301pat.zip Source Code Security Patch for RSA BSAFE SSL-J 3.0.1 http://www.rsasecurity.com/products/bsafe/bulletins /patches/sslj301patsrc.zip RSA BSAFE SSL-J 3.0.1 Binary Release http://www.rsasecurity.com/products/bsafe/bulletins /patches/Sslj301.zip CISCO iCDN: http://www.cisco.com/warp/public/707/SSL-J-pub.html ______________________________________________________________________________ [***** Start RSA Security Bulletin, September 2001 *****] RSA Security Bulletin Subject: Security Patch Released for RSA BSAFE SSL-J 3.x Posted: September 2001 Summary ======= The problem affects server-side SSL in client authentication mode only when using RSA BSAFE SSL-J versions 3.0, 3.0.1 or 3.1. The problem does not affect clients. The problem does not impact servers that do not use client authentication. The SSL protocol provides for caching of SSL sessions between subsequent connections by the same user. Due to a bug in the SSL session caching feature implemented in RSA BSAFE SSL-J versions 3.x, unauthorized clients may be able to impersonate authorized clients, thus potentially gaining access to data intended only for authorized users. The vulnerability does not give the attacker super-user or "root" privileges on the server. RSA Security has provided an easy migration path and downloadable patches for customers who are at risk. This bulletin describes the immediate steps you should take to ensure that your applications remain protected from malicious attackers. Problem Description =================== What is SSL session caching? ---------------------------- The SSL protocol contains provisions to perform fast reconnections once an initial connection has been performed. The SSL protocol does this be creating an SSL session, identified by a session ID. This permits client applications to reconnect to the server by specifying the same session ID used in earlier transactions. When a client presents a valid session ID, a much shorter SSL connection setup is performed. This results in faster connection times and a reduction in processing overhead for server applications. How does RSA BSAFE SSL-J handle SSL sessions? --------------------------------------------- As part of its implementation of the server-side of the SSL protocol, RSA BSAFE SSL-J maintains a cache of sessions established previously with client applications. The sessions eventually time out and are removed from the cache. A client attempting to reconnect after its session has timed out must renegotiate a full SSL handshake. This behavior is expected under the SSL specifications. What is client authentication mode? ----------------------------------- When the SSL protocol is in client authentication mode, the client must present a valid certificate during the connection setup to prove its identity to the server. This authentication is skipped if the client presents a valid session ID (see above), since the client must have already been authenticated during the first connection that initiated the session. The caching problem ------------------- This problem occurs only in RSA BSAFE SSL-J 3.x when using server-side SSL in client authentication mode. If an error occurs while the handshake is being performed, the session's ID might, under certain conditions, be stored in the cache rather than being discarded. If the same client then attempts a second connection, the session ID will already be in the server cache and the shorter version of the SSL handshake will be performed. Consequently, the client authentication phase will be skipped and the connection will proceed as if the client has been successfully authenticated. The consequences of the vulnerability ------------------------------------- This security vulnerability could allow an attacker to circumvent the SSL client authentication mechanism on servers using RSA BSAFE SSL-J 3.x. The attacker might then subsequently gain unauthorized access to data that otherwise would have been secured by the RSA BSAFE SSL-J for the server application. When does the problem occur? ---------------------------- Only versions 3.0, 3.0.1, or 3.1 of RSA BSAFE SSL-J used for client-authenticated server SSL applications are affected. When does the problem not occur? -------------------------------- The following users are not affected by the problem: Users of RSA BSAFE SSL-J 1.x and 2.x. Users of RSA BSAFE SSL-J 3.1.1 or 4.0 beta 2 or higher. Client applications built with RSA BSAFE SSL-J, irrespective of the RSA BSAFE SSL-J version number, including all versions of RSA BSAFE SSL-J 3.x. Server applications built with SSL-J not utilizing client authentication, irrespective of the RSA BSAFE SSL-J version number, including all versions of RSA BSAFE SSL-J 3.x. Solution ======== Customers with active maintenance agreements and who currently use an affected version of RSA BSAFE SSL-J are recommended to upgrade to the latest release version of RSA BSAFE SSL-J. The current release version is RSABSAFE SSL-J 3.1.1. Customers not currently on active maintenance contracts and who currently use an affected version are recommended to do the following: Customers using RSA BSAFE SSL-J 3.0 ----------------------------------- Download and install the no-cost RSA BSAFE SSL-J 3.0.1 upgrade. Download and apply RSA BSAFE SSL-J 3.0.1 Patch 1 to the RSA BSAFE SSL-J 3.0.1 distribution. Customers using RSA BSAFE SSL-J 3.0.1 ------------------------------------- Download and apply RSA BSAFE SSL-J 3.0.1 Patch 1 to the RSA BSAFE SSL-J 3.0.1 distribution. Customers using RSA BSAFE SSL-J 3.1 ----------------------------------- Either: Download and apply RSA BSAFE SSL-J 3.1 Patch 11 to a clean installation of RSA BSAFESSL-J 3.1. If the customer has already applied patches to the RSA BSAFE SSL-J 3.1, please reinstall a RSA BSAFE SSL-J 3.1 from the distribution medium prior to installing Patch 11. If the customer has a current maintenance contract, the customer can request a copy of the current RSA BSAFE SSL-J 3.1.1 release through their account manager. RSA BSAFE SSL-J 3.1.1 does not have this bug. Download ======== The above patches can be downloaded from: http://www.rsasecurity.com/support/bsafe/index.html The patches are encrypted. Decryption passwords will be provided to you by your RSA Account Manager. Please call RSA Security at 650-295-7600 and ask for the sales department if you have not yet received the passwords. RSA Security encourages customers to install the respective patch to proactively prevent security problems. RSA Security continues to make all possible efforts to ensure our products meet the highest levels quality and standards our customers expect. Getting Support and Services ============================ General Technical Support Information: http://www.rsasecurity.com/support SecurCareŽ Online: http://www.rsasecurity.com/support/securcare Technical Support Telephone Numbers: http://www.rsasecurity.com/support/news/tollfree.html Credits ======= RSA Security's customer Cisco Systems detected the bug during internal testing. RSA is not aware of any security breaches resulting from this bug. RSA BSAFE SSL-J 3.x Patches and Updates ======================================= Guide to Updating RSA BSAFE SSL-J 3.x Toolkits http://www.rsasecurity.com/products/bsafe/bulletins/ Guide_to_Updating_SSL-J_3.x_Toolkits.pdf Binary and Source Code Security Patches for RSA BSAFE SSL-J 3.1 https://www.rsasecurity.com.au/download/sslj-patch/3.1/index.html Binary Security Patch for RSA BSAFE SSL-J 3.0.1 http://www.rsasecurity.com/products/bsafe/bulletins/patches /sslj301pat.zip Source Code Security Patch for RSA BSAFE SSL-J 3.0.1 http://www.rsasecurity.com/products/bsafe/bulletins/patches /sslj301patsrc.zip RSA BSAFE SSL-J 3.0.1 Binary Release http://www.rsasecurity.com/products/bsafe/bulletins/patches /Sslj301.zip [***** End RSA Security Bulletin, September 2001 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of RSA Security and CISCO for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-131: IBM AIX telnetd Buffer Overflow L-132: Microsoft Cumulative Patch for IIS L-133: Sendmail Debugger Arbitrary Code Execution Vulnerability L-134: HP Security Vulnerability in rlpdaemon L-135: SGI File Globbing Vulnerability in ftpd L-136: HP-UX Security Vulnerability in PRM L-137: FreeBSD lpd Remote Root Vulnerability L-138: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability L-139: Microsoft IIS "%u encoding IDS bypass vulnerability" L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability