tnozaki / NetBSD / issues / #173 - [OpenSSL-1.0.2] TNF local patch - CVE-2017-3737 Read/write after SSL object in error state

Takehiko NOZAKI reporter

changed status to resolved

BUGFIX: Issue ~~#173~~ - CVE-2017-3737 Read/write after SSL object in error state

cherry-picked from OpenSSL-1_0_2-stable branch: https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc

original commit message:

Don't allow read/write after fatal error

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer.

In order to exploit this issue an attacker would have to trick an application into behaving incorrectly by issuing an SSL_read()/SSL_write() after having already received a fatal error.

Thanks to David Benjamin (Google) for reporting this issue and suggesting this fix.

CVE-2017-3737

Reviewed-by: Rich Salz rsalz@openssl.org

→ <<cset b0f4be41ba42a7e3b16434657909a41446a3a58c>>

2019-07-09T08:51:14+00:00

Comments (2)

Takehiko NOZAKI reporter
fix in OpenSSL-1_0_2-stabled:

https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc
- 2019-07-09T08:21:35+00:00
Takehiko NOZAKI reporter
- changed status to resolved
BUGFIX: Issue ~~#173~~ - CVE-2017-3737 Read/write after SSL object in error state

cherry-picked from OpenSSL-1_0_2-stable branch: https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc

original commit message:

Don't allow read/write after fatal error

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer.

In order to exploit this issue an attacker would have to trick an application into behaving incorrectly by issuing an SSL_read()/SSL_write() after having already received a fatal error.

Thanks to David Benjamin (Google) for reporting this issue and suggesting this fix.

CVE-2017-3737

Reviewed-by: Rich Salz rsalz@openssl.org

→ <<cset b0f4be41ba42a7e3b16434657909a41446a3a58c>>
- 2019-07-09T08:51:14+00:00
Log in to comment