content:en_us:announcements_cve_cve-2018-0732

CVE 2018-0732

/** * This is the notes section. CVE documents should ONLY be created by employees of ClearCenter with the authority to make statements on behalf of the company. If you have content that would be useful to the statement, please contact ClearCenter. */

'During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).'

ClearCenter response

This issue affects ClearOS 7 and ClearOS 6.

Short response

The limit to this attack is that an attacker can cause the system to hang while a key is being generated. In a coordinated attack, this could be used to cause a denial of service. ClearCenter plans on implementing the upstream fix for this for ClearOS 7 once available upstream or if upstream is too slow in generating a timely repair and this exploit becomes weaponized. A fix for ClearOS 6 is not scheduled.

Long response

The limit to this attack is that an attacker can cause the system to hang while a key is being generated. In a coordinated attack, this could be used to cause a denial of service. ClearCenter plans on implementing the upstream fix for this for ClearOS 7 once available upstream or if upstream is too slow in generating a timely repair and this exploit becomes weaponized. A fix is known to exist in 'OpenSSL 1.1.0i-dev' and later. The production open source version was released on 11 Sep 2018 and is being evaluated for suitability at this time and should be available in a forthcoming patch. A fix for ClearOS 6 is not scheduled.

Resolution

The resolution to this problem for ClearOS 7 is pending. This will likely not be fixed in ClearOS 6.

For users of ClearOS 7, please monitor your servers and look for sudden increases in CPU load if you use TLS-based encryption on external-global ports. Block IP addresses involved in hung connections to public-facing IPs due to high, invoked openssl processes.

content/en_us/announcements_cve_cve-2018-0732.txt · Last modified: 2018/10/01 12:45 by dloper

Page Tools