March 2015 OpenSSL Security Advisory (Multiple CVE’s)

We provide the following breakdown of the vulnerabilities in the security advisory in order to help you better understand the impact on Novell products. Of the 14 vulnerabilities reported there is 1 vulnerability with moderate impact to Novell products and 1 vulnerability with low impact. 2 of the 14 vulnerabilities have already been addressed or fixed in previous Novell updates. The remaining 10 vulnerabilities do not impact Novell products because they either apply to versions of OpenSSL that Novell products do not use OR apply to functionality that Novell products do not use.

CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp

• An attacker with a specially crafted certificate could cause a Novell server or client to crash while validating the certificate. Novell products may be vulnerable under one of the following scenarios:

1. The attacker can specify the certificate as a client certificate for an SSL/TLS connection. The server must support client certificates

2. If the attacker can coax the server into making an SSL/TLS connection to a resource that they control.

3. If the attacker has a privileged network position and can spoof the IP address of a known entity that the target attempts to connect to via SSL/TLS and presents the invalid certificate.

CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error

• [Low] A successful exploit of this vulnerability requires the target code to process private keys from untrusted sources. Several Novell products process private keys, it is always in the context of an authenticated administrator. Although it is theoretically possible for an attacker to compromise an administrator account and exploit this vulnerability, it is unlikely that a successful attack would give the attacker more privilege than they already had with the compromised administrator account.

CVE-2015-0204 - Reclassified: RSA silently downgrades to EXPORT_RSA [Client]

• Previously reported in January Security advisory. See Novell TID: CVE-2015-0204 OpenSSL Vulnerability aka “FREAK”

CVE-2015-0292 - Base64 decode

• [Low] This was previously reported and has been fixed since 1.0.1h and 0.9.8za. All Novell products already incorporate these fixes.

The OpenSSL project maintains 4 different feature branches of the OpenSSL library: 0.9.8, 1.0.0, 1.0.1 and 1.0.2. All Novell products consume either the 0.9.8 or 1.0.1 versions of the library. As such vulnerabilities that apply only to the 1.0.0 or 1.0.2 versions of the library have NO impact on Novell products. The following six of the fourteen vulnerabilities reported in the security advisory only impact the 1.0.2 version of the library and have no impact on Novell products:

CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS

CVE-2015-0290 - Multiblock corrupted pointer

CVE-2015-0207 - Segmentation fault in DTLSv1_listen

CVE-2015-0208 - Segmentation fault for invalid PSS parameters

CVE-2015-1787 - Empty CKE with client auth and DHE

CVE-2015-0285 - Handshake with unseeded PRNG

Novell products do not consume the functionality from the OpenSSL library and are therefore not susceptible to the following 3 vulnerabilities:

CVE-2015-0287 - ASN.1 structure reuse memory corruption

CVE-2015-0289 - PKCS7 NULL pointer dereferences

CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

The following defects are not applicable to Novell products because the default (and in some cases hard-coded) configuration eliminates the pre-requisites for exploiting the vulnerability:

CVE-2015-0293 - DoS via reachable assert in SSLv2 servers

• [Low] In order to trigger this vulnerability the server must support SSLv2 and export cipher suites. 

All Novell products are configured to disallow SSLv2 and disallow the export cipher suites. As such, Novell products are not affected by this vulnerability.