There are some technical Problems at the Moment - please excuse the time we Need to Response - we are not as extremely fast as usual...

Resources

Analysis of openssl security vulnerabilities published 05 June 2014

Introduction: 

A number of security vulnerabilities have been found in widely adopted OpenSSL library and a corresponding security advisory was released on 05 June 2014 (see https://www.openssl.org/news/secadv_20140605.txt).
comForte uses a deep port of OpenSSL in a number of products and this article is to discuss the impact of the vulnerabilities to the various comForte products.

Context:

Mainly the security vulnerabilities were:

Quick Severity Rating for comForte software: Medium  CVE-2014-0224:
A specially crafted handshake can lead to use of weak crypto material which can result in an MITM decrypting and modifying the data transferred over the connection. ll clients with openssl versions < 1.0.0m are affected. Servers are only known to be affected if they use openssl 1.0.1 or 1.0.2-beta. o be able to launch the attack both server and client must be using a vulnerable openssl version.
How does this affect comForte software?

Quick Severity Rating for comForte software: none  CVE-2014-0221:
An OpenSSL DTLS client can crash if it is sent an invalid DTLS handshake. This can be exploited in an Denial-of-Service (DoS) attack. All openssl versions are affected.
How does this affect comForte software?

Quick Severity Rating for comForte software: none  CVE-2014-0195:
A specially crafted DTLS packet can lead to a buffer overflow which might allow for arbitrary code execution. All openssl versions are affected.
How does this affect comForte software?

Quick Severity Rating for comForte software: none  CVE-2014-0198:
A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
How does this affect comForte software?

Quick Severity Rating for comForte software: none  CVE-2010-5298:
A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
How does this affect comForte software?

Quick Severity Rating for comForte software: none  CVE-2014-0076:
Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
How does this affect comForte software?

Quick Severity Rating for comForte software: LOW  CVE-2014-3470:
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
How does this affect comForte software? 

[First published: 11Jun2014]