__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Double Free Bug in zlib Compression Library [CERT Advisory CA-2002-07] March 22, 2002 22:00 GMT Number M-062 ______________________________________________________________________________ PROBLEM: There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This bug may allow an attacker to conduct a denial-of-service attack, have the capability to gather information, or execute arbitrary code. PLATFORM: * Any software that is linked to zlib 1.1.3 or earlier may be affected. * Data compression libraries derived from zlib 1.1.3 or earlier may contain a similar bug. DAMAGE: If this vulnerability is exploited, an attacker may conduct a denial-of-service, gather information, or execute arbitrary code. SOLUTION: See CERT's vendor list for affected products and apply appropriate patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Currently, there are no widespread reports ASSESSMENT: of exploitation of this vulnerability. However, if an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-062.shtml ORIGINAL BULLETIN: http://www.cert.org/advisories/CA-2002-07.html ______________________________________________________________________________ Revision History: [Revision 04/03/02: CISCO Systems, Hewlett-Packard, and Juniper Networks release vendor updates] [Revision 11/20/02: Sun Microsystems Security Bulletin #00220 Releases Latest Updates for Java(TM) Runtime Environment (JRE)] http://www.sunsolve.sun.com/pub-cgi/ retrieve.pl?doctype=coll&doc=secbull/220&type=0&nav=sec.sba [***** Start CERT Advisory CA-2002-07 *****] CERTŪ Advisory CA-2002-07 Double Free Bug in zlib Compression Library Original release date: March 12, 2002 Last revised: March 21, 2002 1410 EST Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Any software that is linked to zlib 1.1.3 or earlier may be affected Data compression libraries derived from zlib 1.1.3 or earlier may contain a similar bug Overview There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure. I. Description There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program. The CERT/CC is tracking this issue as VU#368819. This reference number corresponds to CVE candidate CAN-2002-0059. II. Impact This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code. III. Solution Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Upgrade any software that is linked to or derived from an earlier version of zlib. The latest version of zlib is available at http://www.zlib.org These are the MD5 checksums for zlib version 1.1.4: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz 9bf1d36ced334b0cf1f996f5c8171018 zlib114.zip The maintainers of zlib have published an advisory regarding this issue; for further information, please see http://www.gzip.org/zlib/advisory-2002-03-11.txt Apply a patch from your vendor The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server do not contain this vulnerability. Cisco Systems Cisco Systems is addressing the vulnerability identified by VU#368819 across all affected products. Cisco has released an advisory: http://www.cisco.com/warp/public/707/zlib-double-free.shtml Compaq Computer Corporation COMPAQ COMPUTER CORPORATION ----------------------------- x-ref: SSRT0818 zlib At the time of writing this document, Compaq continues to evaluate this potential problem and impacts to Compaq released software. Compaq will implement solutions based on the conclusion of this evaluation as necessary. Compaq will provide notice of any new patches as a result any required solution through standard patch notification procedures and be available from your normal Compaq Services support channel. COMPAQ COMPUTER CORPORATION ----------------------------- Conectiva Linux Conectiva Linux supported versions (5.0, 5.1, 6.0, 7.0, ferramentas graficas and ecomerce) are affected by the zlib vulnerability. Updates will be sent to our security mailing lists and be available at our ftp site and mirrors. The updates will include a new version of zlib itself and also other packages which include their own version of zlib or are linked statically to the system-wide copy of zlib. Debian Users of Debian GNU/Linux 2.2 (potato) should upgrade to zlib version 1.1.3-5.1. More information is available at http://www.debian.org/security/2002/dsa-122. Note that a few packages which include private copies of zlib will also need to be upgraded--more information is available at the above link. Engarde EnGarde Secure Linux Community and Professional are both vulnerable to the zlib bugs. Guardian Digital addressed this vulnerability in ESA-20020311-008 which may be found at: http://www.linuxsecurity.com/advisories/other_advisory-1960.html EnGarde Secure Professional users may upgrade their systems using the Guardian Digital Secure Network. FreeBSD FreeBSD is not vulnerable, as the FreeBSD malloc implementation detects and complains about several programming errors including this kind of double free. F-Secure Corporation F-Secure SSH is not vulnerable to zlib double free bug. No version of F-Secure SSH software is vulnerable to the "Double Free Bug in zlib Compression Library" discussed in CERT Advisory CA-2002-07. All F-Secure SSH versions, both the old SSH1 and later SSH2 protocol clients and servers, close connection immediately with fatal cleanup call without any further calls to zlib when call to zlib's inflate() returns something else than Z_OK. Fujitsu Fujitsu's UXP/V operating system is not affected by the zlib vulnerability because it does not support zlib. Hewlett-Packard Company HP-UX products currently use the 1.0.8 version of zlib and are not vulnerable to the reported double free problem. The possibility of other vulnerabilities in 1.0.8 is being investigated. IBM Corporation IBM's AIX operating system, version 5.1, ships with open source-originated zlib that is used with the Redhat Package Manager (rpm) to install applications that are included in the AIX-Linux Affinity Toolkit. zlib (libz.a) is a shared library in AIX. AIX 5.1 is susceptible to the described vulnerability. AIX 4.3.x does not ship with zlib, but customers who install zlib and use it will be similarly vulnerable. IBM will make the patched version of zlib available as soon as it is made available to us. Juniper Networks Juniper Networks has completed an initial assessment of this vulnerability, and we believe that our implementation is not susceptible. Test programs show that our memory allocation algorithm correctly detects and warns about any attempt to exploit the vulnerability described in the CERT/CC advisory. We continue to evaluate the risks associated with this vulnerability. If we determine that the JUNOS software is susceptible, we will quickly issue any patches or software updates required to maintain the security of Juniper Networks routers. Future JUNOS software releases will include a corrected version of the libz code. Microsoft Corporation Microsoft is currently conducting a full investigation based on the information provided by CERT. NetBSD NetBSD's malloc libraries are not vulnerable to double-free() attacks. The updated zlib will be included in future releases, but a Security Advisory will not be issued. Novell, Inc. Novell is working on a fix for Novell JVM for NetWare 1.3.1. We will post the fix in the May NDK. Version 1.4 will also have the fix in it. We will also update this statement with the URL to download the fix. OpenBSD OpenBSD is not vulnerable as OpenBSD's malloc implementation detects double freeing of memory. The zlib shipped with OpenBSD has been fixed in OpenBSD-current in January 2002. Openwall GNU/*/Linux All versions of Openwall GNU/*/Linux (Owl) prior to the 2002/02/15 Owl-current snapshot are affected by the zlib double-free vulnerability. Owl-current after 2002/02/15 includes the proper fixes in its userland packages. In order to not place the users of other vendors' products at additional risk, we have agreed to delay documenting this as a security change and including the fixes in Owl 0.1-stable until there's a coordinated public announcement. While we don't normally support this kind of a policy (releasing a fix before there's an announcement), this time handling the vulnerability in this way was consistent with the state of things by the time the (already publicly known) bug was first realized to be a security vulnerability. The zlib bug could affect the following Owl packages: gnupg, openssh, rpm, texinfo (not necessarily in a security sense). Of these, the OpenSSH could potentially allow for an active remote attack resulting in a root compromise. If only SSH protocol version 1 is allowed in the OpenSSH server this is reduced to a local attack, but reverse remote attack possibilities by a malicious server remain. Additionally, any third-party software that makes use of the provided zlib library could be affected. Parts of the Linux 2.2 kernel included in Owl were also affected by the vulnerability. Fortunately, those parts (Deflate compression support for PPP and the experimental Deflate compression extension to IrDA) are normally not used by the Owl userland. The bug has been corrected starting with Linux 2.2.20-ow2 which has been made public and a part of both Owl-current and Owl 0.1-stable on 2002/03/03. This change, however, will only be documented in the publicly-available change logs on the coordinated public announcement date. Red Hat, Inc. Red Hat Linux ships with a zlib library that is vulnerable to this issue. Although most packages in Red Hat Linux use the shared zlib library we haveidentified a number of packages that either statically link to zlib or contain an internal version of the zlib code. Updates to zlib and these packages as well as our advisory note are a vailable from the following URL. Users of the Red Hat Network can use the up2date tool to automatically upgrade their systems. http://www.redhat.com/support/errata/RHSA-2002-026.html Red Hat would like to thank CERT/CC for their help in coordinating this issue with other vendors. SGI SGI acknowledges the zlib vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. SSH Communications Security SSH Secure Shell is not vulnerable to zlib double free bug. No version of SSH Secure Shell software is vulnerable to the "Double Free Bug in zlib Compression Library" discussed in CERT Advisory CA-2002-07. All SSH Secure Shell versions, including SSH2 protocol clients and servers, close the connection immediately with a fatal cleanup call without any further calls to zlib when a call to zlib's inflate() returns something else than Z_OK. Standard Networks, Inc. Standard Networks offers a "mainframe connectivity" product called "OpenIT" which uses the zlib library to compress ("zip") files transferred between Unisys mainframes and remote FTP clients and servers. After a code analysis we found the zlib vulnerability does not affect this product. Standard Networks also offers a secure HTTPS-based file transfer client called "MOVEit Wizard" which uses the zlib library to compress ("zip") files transferred between MOVEit DMZ servers and remote browsers. After a code analysis we found the zlib vulnerability does not affect this product. Nonetheless, Standard Networks will use "corrected" versions of zlib in future versions of both products. No other Standard Networks products ("ActiveHEAT","EMU","MOVEit DMZ", "MOVEit Central", "MOVEit Admin", "MOVEit Freely", "MOVEit Buddy", "Unigate") are affected. Customers are encouraged to call Standard Networks immediately (+001 608.227.6100) with any questions or concerns about their specific configuration. Sun Microsystems, Inc. Solaris 8 includes the zlib library as part of the SUNWzlib package which is affected by this issue. Sun is generating patches for zlib presently. When patches are available, Sun will publish a Sun Security Bulletin. Sun is investigating what other Sun products or applications may be impacted which use a private copy of zlib or code from the zlib library. Sun Security Bulletins are available from: http://sunsolve.sun.com/security XFree86 XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided version. XFree86 uses the system-provided zlib by default only on the following platforms: FreeBSD 2.2 and later NetBSD 1.2.2 and later OpenBSD Darwin Debian Linux The zlib code in XFree86 has been fixed in the CVS repository (trunk and the xf-4_2-branch branch) as of 14 February 2002. A source patch for XFree86 4.2.0 will be available from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/. The following XFree86 4.2.0 binary distributions provided by XFree86 include and use a vulnerable version of zlib: Linux-alpha-glibc22 Linux-ix86-glibc22 When updated binaries are available, it'll be documented at http://www.xfree86.org/4.2.0/UPDATES.html. To check if an installation of XFree86 includes zlib, see if the following file exists: /usr/X11R6/lib/libz.a To check if an XFree86 X server is dynamically linked with zlib, look for a line containing 'libz' in the output of 'ldd /usr/X11R6/bin/XFree86'. Various vendors repackage and distribute XFree86, and may use settings and configurations different from those described here. zlib.org All users of zlib versions 1.1.3 or earlier should obtain the latest version, 1.1.4 or later, from http://www.zlib.org, in order to avoid this vulnerability as well as other possible vulnerabilities in versions prior to 1.1.3 when decompressing invalid data. Appendix B. - References http://bugzilla.gnome.org/show_bug.cgi?id=70594 http://www.gzip.org/zlib/advisory-2002-03-11.txt http://www.kb.cert.org/vuls/id/368819 http://www.libpng.org/pub/png/pngapps.html http://www.redhat.com/support/errata/RHSA-2002-026.html http://www.securityfocus.com/bid/4267 -------------------------------------------------------------------------------- The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability. -------------------------------------------------------------------------------- This document was written by Jeffrey P. Lanza. -------------------------------------------------------------------------------- This document is available from: http://www.cert.org/advisories/CA-2002-07.html [***** End CERT Advisory CA-2002-07 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT Coordination Center for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-052: Microsoft Java Applet Can Redirect Browser Traffic M-053: mod_ssl and Apache_SSL Modules Contain a Buffer Overflow M-054: OpenSSH Contains Remote Exploitable Vulnerability M-055: Microsoft Unchecked Buffer in Windows Shell M-056: Red Hat "uuxqt" Vulnerability M-057: Red Hat "at" Vulnerability M-058: Apache Vulnerabilities on IRIX M-059: Red Hat "groff" Vulnerability M-060: JRE Bytecode Verifier Vulnerability M-061: HP VVOS Web proxy Vulnerability