Openssl Vulnerability – SSL/ TLS Renegotion Handshakes

Home » CentOS » Openssl Vulnerability – SSL/ TLS Renegotion Handshakes
CentOS 8 Comments

Hi,

I’m currently at CentOS 5.8. I’m using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan:

“SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection”

As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:

https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support

I created rpm for openssl-0.9.8m using tarball and when I tried to install it, I got “libssl.so.6()(64bit) is needed by ” errors which would be solved by installing openssl098e rpm. This rpm is a part of CentOS 6 and so I can’t install it.

Do we have openssl-0.9.8m or higher rpm available for CentOS 5? Or any other way I could resolve errors “libssl.so.6()(64bit) is needed by “? Or any suggestions on the mentioned “SSL/ TLS Renegotion Handshakes” vulnerability?

Thanks, Anumeha

8 thoughts on - Openssl Vulnerability – SSL/ TLS Renegotion Handshakes

  • Don’t trust Nessus scans

    If you follow that link it points to
    https://rhn.redhat.com/errata/RHSA-2010-0162.html (openssl-0.9.8e-12.el5_4.6)
    as having the fix.

    Which is superceded by
    https://rhn.redhat.com/errata/RHSA-2013-0587.html (openssl-0.9.8e-26.el5_9.1)

    The version numbers reported by RedHat do not always match the version numbers reported by upstream because RedHat backports fixes into older versions.

    According to the very pages you linked to, the flaw has been addressed by RedHat in the 0.9.8e-12 and newer packages.

  • Thank You.

    “Support for RFC 5746 in OpenSSL was introduced upstream in version 0.9.8m”
    mentioned in the Redhat article made me think that I would require this version. Stephen, as per what you explained, I should be fine with openssl-0.9.8e-22.el5. Right? So, can the vulnerability reported by Nessus scanner ignored?

  • No, Nessus should not in general be ignored.
    _My_ *personal* experience has been that if Nessus is reporting a PACKAGE out of date on CentOS, then it IS out of date [the patch and CESA has been released by the CentOS team].

    As has been indicated earlier in the thread you need to update your system for ALL the security issues[1] (which don’t break the operation of the system), because you are running CentOS 5.8 [with no updates presumably[2]]. You might be misunderstanding the purpose point releases[3].

    Can you tell us *why* you are forcing your machine to be stuck at a particular point release?
    It is generally bad practice to not install the updates, at least after testing on a test rig that represents your deployed machine. If you were up-to-date then this “PCI audit” [4] info on the wiki might apply to your situation.

    Perhaps you should read these http://www.redhat.com/advice/speaks_backport.html https://access.redhat.com/security/updates/backporting/?sc_cid093

    and skim these https://www.CentOS.org/modules/newbb/viewtopic.php?topic_id723
    http://www.CentOS.org/modules/newbb/viewtopic.php?topic_id3190&forum=1
    4

    [1] try googling, with a limiter of in the last year, for:
    CESA +”CentOS 5″ site:lists.CentOS.org/pipermail/CentOS-announce/
    These will point to most of the security updates for “CentOS 5”, which you may not have applied.

    [2]… to confirm you really are running with no/very few 5.9 updates you could run rpm -qa –last \*release\*
    which will tell you what release the machine thinks it is at. And then look at rpm -qa –last |less to see what if anything has been updated since a few *days* after the release.

    [3]
    http://wiki.CentOS.org/FAQ/General#head-6e2c3746ec45ac3142917466760321e8
    68f43c0e

    [4]
    http://wiki.CentOS.org/FAQ/General#head-3dad8cb98ac535185e58e882a23ca4b0
    96cbff2f

    Even when this disclaimer is not here:
    I am not a contracting officer. I do not have authority to make or modify the terms of any contract.

    this https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_s

  • Thanks for the update.

    I’d updated most of my rpms to CentOS 5.9. I’d even updated openssl to openssl-0.9.8e-22.el5_8.4 (though now the latest is version is openssl-0.9.8e-26.el5_9.1). My concern is that even upgrading openssl to version openssl-0.9.8e-26.el5_9.1 might not solve my problem. This is because the fix for vulnerability “SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection” was backported to openssl-0.9.8e-12.el5_4.6 as per article:

    https://access.redhat.com/site/articles/20490#Updates_adding_RFC_5746_support

    In link https://access.redhat.com/security/updates/backporting/?sc_cid093you shared, I found “some security scanning and auditing tools make decisions about vulnerabilities based solely on the version number of components they find. This results in false positives as the tools do not take into account backported security fixes.”

    This might be the reason for reported vulnerability. Or, there might be some configuration changes that I need to make on my server, but not sure of that.

  • Am 08.08.2013 09:04, schrieb Anumeha Prasad:

    Sorry to say, but so far you fail to clearly understand that a tool like nessus just looks at the version tag it can get. It cannot see that the fix backported by Red Hat is incorporated into an openssl release which does not have this fix in upstream at the same version.

    That’s why Stephen earlier said “Don’t trust nessus scans”. But you can trust what Red Hat publishes in their errata reports and CVE database.

    Alexander

  • I understood when Stephen said “Don’t trust nessus scans” as I had also mentioned in thi thread. Just that someone also mentioned in this thread that “Nessus should not in general be ignored”. Simply wanted to double check that before arriving at a conclusion.

    Thanks

LEAVE A COMMENT