OpenBMC CVE issues in openssl

OpenBMC CVE issues in openssl

[Wang, Kuiying]

[-- Attachment #1: Type: text/plain, Size: 709 bytes --]

Hi Brad,
Openssl is already upgrade to 1.1.1d, so please help sync to the latest version.
https://github.com/openembedded/openembedded-core/tree/master/meta/recipes-connectivity/openssl

Please let me know, if you need me to submit patch for this upgrading.

Thanks,
Kwin.

> Hi,
>
> Some openssl vulnerabilities are found by security scan on latest OpenBMC
> which is using openssl 1.1.1c
>
> CVE-2019-1549
> CVE-2019-1563
> CVE-2019-1547
>
> They are fixed in latest openssl version 1.1.1d.
>
> Do we have plan to upgrade openssl recently?
>
> Thanks

I don't think 1.1.1d has landed upstream yet.  If you update oe-core to
1.1.1d I will pick it up once it lands there.

-brad


[-- Attachment #2: Type: text/html, Size: 5864 bytes --]

Re: OpenBMC CVE issues in openssl

[Brad Bishop]

at 10:25 PM, Wang, Kuiying <kuiying.wang@intel.com> wrote:

> Hi Brad,
> Openssl is already upgrade to 1.1.1d, so please help sync to the latest  
> version.
> https://github.com/openembedded/openembedded-core/tree/master/meta/recipes-connectivity/openssl
>
> Please let me know, if you need me to submit patch for this upgrading.
>
> Thanks,
> Kwin.

Hi Kwin

I pushed a change last week that picks it up:  
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/25306

Something broke though, so that will need to get debugged before we can  
pick it up.  If you are able to help you could cherry-pick this change and  
do some builds and/or testing.

thanks!

-brad

RE: OpenBMC CVE issues in openssl

[Wang, Kuiying]

Hi Brad,
Ok sure.
I prefer to upgrading openssl related separately first and then others.
Because I have urgent requirement for the latest version to fix security issues, do you agree on that?

That means I submit another patch just to upgrading openssl to 1.1.1d, is it acceptable?

Thanks,
Kwin.

-----Original Message-----
From: Brad Bishop [mailto:bradleyb@fuzziesquirrel.com] 
Sent: Tuesday, September 24, 2019 10:41 AM
To: Wang, Kuiying <kuiying.wang@intel.com>
Cc: openbmc@lists.ozlabs.org; Jia, Chunhui <chunhui.jia@intel.com>; Shi, Yilei <yilei.shi@intel.com>; Mihm, James <james.mihm@intel.com>; Xu, Qiang <qiang.xu@intel.com>
Subject: Re: OpenBMC CVE issues in openssl

at 10:25 PM, Wang, Kuiying <kuiying.wang@intel.com> wrote:

> Hi Brad,
> Openssl is already upgrade to 1.1.1d, so please help sync to the 
> latest version.
> https://github.com/openembedded/openembedded-core/tree/master/meta/rec
> ipes-connectivity/openssl
>
> Please let me know, if you need me to submit patch for this upgrading.
>
> Thanks,
> Kwin.

Hi Kwin

I pushed a change last week that picks it up:  
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/25306

Something broke though, so that will need to get debugged before we can pick it up.  If you are able to help you could cherry-pick this change and do some builds and/or testing.

thanks!

-brad

Re: OpenBMC CVE issues in openssl

[Brad Bishop]

at 10:48 PM, Wang, Kuiying <kuiying.wang@intel.com> wrote:

> Hi Brad,
> Ok sure.
> I prefer to upgrading openssl related separately first and then others.
> Because I have urgent requirement for the latest version to fix security  
> issues, do you agree on that?
>
> That means I submit another patch just to upgrading openssl to 1.1.1d, is  
> it acceptable?

Hi Kwin

I merged 25306 this morning which contains 1.1.1d.

thx - brad

RE: OpenBMC CVE issues in openssl

[Wang, Kuiying]

Hi Brad,
It's great. Thanks a lot.

Thanks,
Kwin.

-----Original Message-----
From: Brad Bishop [mailto:bradleyb@fuzziesquirrel.com] 
Sent: Tuesday, September 24, 2019 7:12 PM
To: Wang, Kuiying <kuiying.wang@intel.com>
Cc: openbmc@lists.ozlabs.org; Jia, Chunhui <chunhui.jia@intel.com>; Shi, Yilei <yilei.shi@intel.com>; Mihm, James <james.mihm@intel.com>; Xu, Qiang <qiang.xu@intel.com>
Subject: Re: OpenBMC CVE issues in openssl

at 10:48 PM, Wang, Kuiying <kuiying.wang@intel.com> wrote:

> Hi Brad,
> Ok sure.
> I prefer to upgrading openssl related separately first and then others.
> Because I have urgent requirement for the latest version to fix 
> security issues, do you agree on that?
>
> That means I submit another patch just to upgrading openssl to 1.1.1d, 
> is it acceptable?

Hi Kwin

I merged 25306 this morning which contains 1.1.1d.

thx - brad

openssl upgrade

[chunhui.jia]

[-- Attachment #1: Type: text/plain, Size: 987 bytes --]

Brad,
There is a CVE reported in openSSL 1.1.1d (used by current openbmc).  Severity is high. 
CVE-2020-1967   https://nvd.nist.gov/vuln/detail/CVE-2020-1967

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).


It is fixed in 1.1.1g.  Upstream recipe already point openssl to latest version (1.1.1g).
https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb

Will you update poky subtree to latest?

[-- Attachment #2: Type: text/html, Size: 5690 bytes --]

Re: openssl upgrade CVE-2020-1967

[Joseph Reynolds]

On 5/7/20 2:43 AM, chunhui.jia wrote:
> Brad,
> There is a CVE reported in openSSL 1.1.1d (used by current openbmc).  
> Severity is high.
>
> CVE-2020-1967 <https://nvd.nist.gov/vuln/detail/CVE-2020-1967> 
> https://nvd.nist.gov/vuln/detail/CVE-2020-1967
> Server or client applications that call the SSL_check_chain() function 
> during or after a TLS 1.3 handshake may crash due to a NULL pointer 
> dereference as a result of incorrect handling of the 
> "signature_algorithms_cert" TLS extension. The crash occurs if an 
> invalid or unrecognised signature algorithm is received from the peer. 
> This could be exploited by a malicious peer in a Denial of Service 
> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by 
> this issue. This issue did not affect OpenSSL versions prior to 
> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
>

Thanks for reporting this.  According to OpenBMC network security 
considerations [1], SSL (and specifically OpenSSL) is used in two 
places: the dropbear SSH server [2] and the BMCWeb HTTPS server [3].   I 
don't see any references to the defective function (SSL_check_chain) in 
those code bases or in any other OpenBMC code. I've CC'd the BMCWeb 
maintainers to help check this.  If that is all true, the OpenBMC is not 
affected.

I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release 
[4] which does use OpenSSL 1.1.1g [5].

- Joseph

[1]: 
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
[2]: https://github.com/mkj/dropbear
[3]: https://github.com/openbmc/bmcweb
[4]: https://wiki.yoctoproject.org/wiki/Releases
[5]: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl?h=dunfell

> It is fixed in 1.1.1g.  Upstream recipe already point openssl to 
> latest version (1.1.1g).
> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> Will you update poky subtree to latest?

Re: Re: openssl upgrade CVE-2020-1967

[chunhui.jia]

[-- Attachment #1: Type: text/plain, Size: 2552 bytes --]

Thanks Joseph.

2020-05-08 

chunhui.jia 



发件人：Joseph Reynolds <jrey@linux.ibm.com>
发送时间：2020-05-08 00:54
主题：Re: openssl upgrade CVE-2020-1967
收件人："chunhui.jia"<chunhui.jia@linux.intel.com>,"Brad Bishop"<bradleyb@fuzziesquirrel.com>
抄送："Bills, Jason M"<jason.m.bills@linux.intel.com>,"Vernon Mauery"<vernon.mauery@linux.intel.com>,"openbmc@lists.ozlabs.org"<openbmc@lists.ozlabs.org>,"James Feist"<james.feist@linux.intel.com>

On 5/7/20 2:43 AM, chunhui.jia wrote: 
> Brad, 
> There is a CVE reported in openSSL 1.1.1d (used by current openbmc).   
> Severity is high. 
> 
> CVE-2020-1967 <https://nvd.nist.gov/vuln/detail/CVE-2020-1967>  
> https://nvd.nist.gov/vuln/detail/CVE-2020-1967 
> Server or client applications that call the SSL_check_chain() function  
> during or after a TLS 1.3 handshake may crash due to a NULL pointer  
> dereference as a result of incorrect handling of the  
> "signature_algorithms_cert" TLS extension. The crash occurs if an  
> invalid or unrecognised signature algorithm is received from the peer.  
> This could be exploited by a malicious peer in a Denial of Service  
> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by  
> this issue. This issue did not affect OpenSSL versions prior to  
> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). 
> 

Thanks for reporting this.  According to OpenBMC network security  
considerations [1], SSL (and specifically OpenSSL) is used in two  
places: the dropbear SSH server [2] and the BMCWeb HTTPS server [3].   I  
don't see any references to the defective function (SSL_check_chain) in  
those code bases or in any other OpenBMC code. I've CC'd the BMCWeb  
maintainers to help check this.  If that is all true, the OpenBMC is not  
affected. 

I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release  
[4] which does use OpenSSL 1.1.1g [5]. 

- Joseph 

[1]:  
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md 
[2]: https://github.com/mkj/dropbear 
[3]: https://github.com/openbmc/bmcweb 
[4]: https://wiki.yoctoproject.org/wiki/Releases 
[5]:  
https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl?h=dunfell 

> It is fixed in 1.1.1g.  Upstream recipe already point openssl to  
> latest version (1.1.1g). 
> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb 
> Will you update poky subtree to latest? 

[-- Attachment #2: Type: text/html, Size: 6101 bytes --]