[Pkg-openssl-devel] PCI compliancy problem

Brent Clark bclark at eccotours.biz
Fri Sep 14 09:31:02 UTC 2007 

To whom it may concern.

The company I work for, is in the process of applying for PCI compliancy.

I just received the report and I have a vulnerability in the listed in the report.

--------------------------------------------------------------------------------------------------------------
Netscape/OpenSSL Cipher Forcing Bug

Severity Level: Medium

CVSS Score: N/A

Explanation:
Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is initially established, the first available cipher is used. If a session is resumed, a different cipher may be chosen if it appears in the passed cipher list before the session's current cipher. This bug can be used to change ciphers on the server.

OpenSSL contains this bug if the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. This option was introduced for compatibility reasons.

The problem arises when different applications using OpenSSL's libssl library enable all compatibility options including SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, thus enabling the bug.

Additional Data:
NULL-SHA:NULL-MD5:ADH-AES256-SHA:DHE-DSS-AES256-SHA:ADH-AES128-SHA:DHE-DSS-AES128-SHA

Mitigation:
This problem can be fixed by disabling the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option from the options list of OpenSSL's libssl library. This can be done by replacing the SSL_OP_ALL definition in the openssl/ssl.h file with the following line:

#define SSL_OP_ALL (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)

The library and all programs using this library need to be recompiled to ensure that the correct OpenSSL library is used during linking.

Industry References:
None

-------------------------------------------------------------------------------------------------------------

I run debian testing on my servers, so currently the version I have is:

root at ukvm:/usr/share/doc/openssl# dpkg -l | grep -i openssl
ii  openssl                      0.9.8e-6                Secure Socket Layer (SSL) binary and related
ii  ssl-cert                     1.0.14                  Simple debconf wrapper for openssl
root at ukvm:/usr/share/doc/openssl#

I have viewed changelogs, and as from my understanding this issue has been address.

If possible, please could some provide me with any feedback or supply me with a response as too this issue.

Any or all advise and or help, that i can take back to the auditing copany,would greatfully be appreciated.

Kind Regards
Brent Clark

======================================================
ECCO Tours Limited
Registration no. 03078597 (England & Wales)

Registered office:
52 Shaftesbury Avenue
London W1D 6LP

Website : http://www.eccotours.biz

Please consider the environment before printing this message.

More information about the Pkg-openssl-devel mailing list