Stonesoft Corp. Security Advisory

Date: Sep 30, 2003
Title: OpenSSL security bugs
Refs: Cert-UK: 006489/OpenSSL
CVE: CAN-2003-0543, CAN-2003-0544, CAN-2003-0545

The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

1. Overview

CERT announced today that several security vulnerabilities exist in OpenSSL software versions up to and including 0.9.7b. The vulnerabilities permit denial-of-service attacks. It may be possible that a vulnerability also enables a remote attacker to execute arbitrary code.

2. StoneGate

A vulnerable version of OpenSSL is included in the StoneGate engine. The vulnerabilities reported by CERT were tested against the OpenSSL implementation on StoneGate without being able to do any harm. Stonesoft takes security issues very seriously and applies a new OpenSSL version to the future StoneGate engine versions.

All StoneGate engines up to and including version 2.2.1 contain the vulnerable software. A new StoneGate engine version 2.2.2 is planned to be available on October 3rd, 2003 for Intel and S390 platforms. A new StoneGate engine version 2.0.11 is planned to be available on October 7th, 2003 for the SPARC platform. The new versions will be available for download from Stonesoft's web site at www.stonesoft.com. All customers with valid support and maintenance contracts will be notified.

The Stonesoft security advisory of September 19th, 2003 warned about a vulnerability in OpenSSH software. The new StoneGate engine versions 2.0.11 and 2.2.2 will also fix this vulnerability.

Recommended Actions:

All StoneGate users are encouraged to upgrade their StoneGate engines to the appropiate new version as soon as it is available.

Stonesoft estimates that no other actions are required at this time. Should the situation change prior to the new StoneGate release, Stonesoft will issue a separate notification.

3. StoneBeat

All StoneBeat clustering products use SSLv3 for control connections.

All SSL encrypted control communications are passed between the management system using the control network, TCP port number 3002. Communication to StoneBeat control ports should be limited to minimum in a firewall rulebase or by using a secure control interface between the cluster nodes and management system. A secure interface means a network which is not accessible from any networks that can be considered as possible source of malicious operations.

There will be a patch for all products in a timely manner. The patches will be available at http://www.stonesoft.com/download/.

Recommended Actions:

All StoneBeat users are encouraged to upgrade their StoneBeat software to the appropiate new version as soon as it is available.

4. Appendices

Stonesoft Security Analysis Group's PGP key is available at: ftp://download.stonesoft.com/web/Support/Stonesoft%20Security%20 Alert.asc

To report or inquire about a security problem with Stonesoft software, contact one or more of the following:

Copyright 2003 Stonesoft, Corp. All rights reserved.

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.