__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Security Vulnerabilities in ASN.1 January 21, 2004 19:00 GMT Number O-065 [REVISED 23 JAN 2004] [REVISED 29 JAN 2004] [REVISED 10 FEB 2004] ______________________________________________________________________________ PROBLEM: CIAC previously reported vulnerabilities occuring primarily in the Abstract Syntax Notation One (ASN.1) parsing code in CIAC Bulletin N-159 with a "Low" risk assessment. CIAC is now seeing vulnerabilities that warrant a higher assessment. These will be reported on this bulletin as vendors release information. Sun Alert #57472: The Internet Key Exchange (IKE) in Solaris 9 uses ASN.1 code from SSH Inc. A buffer overflow vulnerability has been found in the in.iked(1M) daemon. PLATFORM: Sun Solaris 9 on SPARC and x86 platforms Microsoft Windows NT® Workstation 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft 2000 Windows Service Pack 4 Microsoft Windows XP, Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1 Microsoft Windows XP 64-Bit Edition Version 2003, Microsoft Windows XP 64-Bit Edition Version 2003 Service Pack 1 Microsoft Windows Server™ 2003 Microsoft Windows Server 2003 64-Bit Edition DAMAGE: A local or remote attacker could kill the in.iked(1M) daemon, resulting in a denial of service, or could gain unauthorized root access due to a buffer overflow in this daemon. SOLUTION: Sun Alert #57472: Install appropriate patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. A local or remote attacker could gain root ASSESSMENT: access or cause a denial of service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-065.shtml ORIGINAL BULLETIN: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57472-1 ADDITIONAL LINKS: CERT Advisory CA-2003-26: http://www.cert.org/advisories/CA-2003-26.html CIAC Bulletin N-159 http://www.ciac.org/ciac/bulletins/n-159.shtml Microsoft Security Bulletin MS04-007 http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/bulletin/MS04-007.asp ______________________________________________________________________________ REVISION HISTORY: 1/23/04 - Sun released new patches in place of the preliminary T-patch. 1/29/04 - revised to reflect Sun's release of revised Sun Alert ID: 57472 2/10/04 - revised to reflect Microsoft's release of Microsoft Bulletin MS04-007 [***** Start Sun Alert #57472 rev.1 *****] Sun(sm) Alert Notification Sun Alert ID: 57472 Synopsis: Security Vulnerability in ASN.1 May Affect Solaris Internet Key Exchange (IKE) Category: Security Product: Solaris BugIDs: 4930399 Avoidance: Patch State: Resolved Date Released: 13-Jan-2004, 28-Jan-2004 Date Closed: 28-Jan-2004 Date Modified: 20-Jan-2004, 22-Jan-2004, 28-Jan-2004 1. Impact The Internet Key Exchange (IKE) implementation in Solaris 9 uses ASN.1 code from SSH Inc. Under certain rare conditions, it may be possible for a local or remote unprivileged user to kill the in.iked(1M) daemon, resulting in a Denial of Service (DoS), or gain unauthorized root access due to a buffer overflow in the in.iked(1M) daemon. The issue with ASN.1 is described in CERT Vulnerability VU#104280 (see http://www.kb.cert.org/vuls/id/104280) which is referenced in CERT Advisory CA-2003-26 (see http://www.cert.org/advisories/CA-2003-26.html) and NISCC Vulnerability Advisory 006489/TLS (see http://www.uniras.gov.uk/vuls/2003/006489/tls.htm). 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 9 without patch 113451-05 x86 Platform * Solaris 9 without patch 114435-03 Note: Solaris 7 and 8 are not affected by this issue. 3. Symptoms There are no predictable symptoms that would indicate the described issues have been exploited. Solution Summary Top 4. Relief/Workaround There is no workaround. Please see the Resolution section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 9 with patch 113451-05 or later x86 Platform * Solaris 9 with patch 114435-03 or later Change History 20-Jan-2004: * Update Contributing Factors and Resolution sections for x86 Resolution patch 22-Jan-2004: * Update Contributing Factors and Resolution sections for Solaris 9 Resolution patch 28-Jan-2004: * SunSolve patch issue corrected - re-releasing as Resolved. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert #57472 rev.1 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-055: Red Hat Updated elm Packages Fix Vulnerability in frm Command O-056: Hewlett-Packard dtterm Vulnerability O-057: Hewlett-Packard libDtSvc Vulnerability O-058: Hewlett-Packard SharedX Vulnerability O-059: Debian Linux-Kernel-2.4.14-ia64 Vulnerabilities O-060: Debian Password Expiration Vulnerability O-061: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities O-062: CERT Advisory Multiple H.323 Message Vulnerabilities O-063: Red Hat Elevated Privileges Vulnerability O-064: HP 'rwrite' Utility Vulnerability