Re: Re: openssl upgrade CVE-2020-1967

From: "chunhui.jia" <chunhui.jia@linux.intel.com>
To: "Joseph Reynolds" <jrey@linux.ibm.com>,
	"Brad Bishop" <bradleyb@fuzziesquirrel.com>
Cc: "Bills, Jason M" <jason.m.bills@linux.intel.com>,
	"Vernon Mauery" <vernon.mauery@linux.intel.com>,
	"openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>,
	"James Feist" <james.feist@linux.intel.com>
Subject: Re:  Re: openssl upgrade CVE-2020-1967
Date: Fri, 08 May 2020 08:27:57 +0800	[thread overview]
Message-ID: <5EB4A78A.1080704@linux.intel.com> (raw)
In-Reply-To: <691f8cf6-f448-5df3-8200-8ee864f78bc7@linux.ibm.com>

[-- Attachment #1: Type: text/plain, Size: 2552 bytes --]

Thanks Joseph.

2020-05-08 

chunhui.jia 

发件人：Joseph Reynolds <jrey@linux.ibm.com>
发送时间：2020-05-08 00:54
主题：Re: openssl upgrade CVE-2020-1967
收件人："chunhui.jia"<chunhui.jia@linux.intel.com>,"Brad Bishop"<bradleyb@fuzziesquirrel.com>
抄送："Bills, Jason M"<jason.m.bills@linux.intel.com>,"Vernon Mauery"<vernon.mauery@linux.intel.com>,"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org>,"James Feist"<james.feist@linux.intel.com>

On 5/7/20 2:43 AM, chunhui.jia wrote: 
> Brad, 
> There is a CVE reported in openSSL 1.1.1d (used by current openbmc).   
> Severity is high. 
> 
> CVE-2020-1967 <https://nvd.nist.gov/vuln/detail/CVE-2020-1967>  
> https://nvd.nist.gov/vuln/detail/CVE-2020-1967 
> Server or client applications that call the SSL_check_chain() function  
> during or after a TLS 1.3 handshake may crash due to a NULL pointer  
> dereference as a result of incorrect handling of the  
> "signature_algorithms_cert" TLS extension. The crash occurs if an  
> invalid or unrecognised signature algorithm is received from the peer.  
> This could be exploited by a malicious peer in a Denial of Service  
> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by  
> this issue. This issue did not affect OpenSSL versions prior to  
> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). 
> 

Thanks for reporting this.  According to OpenBMC network security  
considerations [1], SSL (and specifically OpenSSL) is used in two  
places: the dropbear SSH server [2] and the BMCWeb HTTPS server [3].   I  
don't see any references to the defective function (SSL_check_chain) in  
those code bases or in any other OpenBMC code. I've CC'd the BMCWeb  
maintainers to help check this.  If that is all true, the OpenBMC is not  
affected. 

I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release  
[4] which does use OpenSSL 1.1.1g [5]. 

- Joseph 

[1]:  
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md 
[2]: https://github.com/mkj/dropbear 
[3]: https://github.com/openbmc/bmcweb 
[4]: https://wiki.yoctoproject.org/wiki/Releases 
[5]:  
https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl?h=dunfell 

> It is fixed in 1.1.1g.  Upstream recipe already point openssl to  
> latest version (1.1.1g). 
> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb 
> Will you update poky subtree to latest? 

[-- Attachment #2: Type: text/html, Size: 6101 bytes --]