KB Article #67672

OpenSSL CVE-2010-4180 effects on VA server

Problem

-- OpenSSL Security Advisory [2 December 2010]
-- CVE-2010-4180



From http://openssl.org/news/secadv_20101202.txt:
A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicious clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections.[sic]


Resolution

From http://openssl.org/news/secadv_20101202.txt:
Users of OpenSSL 0.9.8j or later who do not enable weak ciphersuites are
still vulnerable but the bug has no security implications as the attacker can
only change from one strong ciphersuite to another.[sic]



OpenSSL dependencies in VA server are periodically updated, but customers could take the following steps to immediately mitigate the vulnerability.



VA servers have two components that provide SSL functionality. For the validation service the settings are controlled via the Admin UI, Server Settings->Cipher Suites. Please, apply the necessary changes if your server URL, as defined in Server Settings->Server URLs, are set with the "Use SSL" option.  



The Admin UI service SSL options however are not configurable via the Admin UI itself. In order to ensure the statement above, please upgrade your VA servers accordingly to the versions below (the minimum upgrade path that updates the OpenSSL version to a version after 0.9.8j is provided):



a) 4.11 - upgrade to 4.11 SP1 and apply the strong security options for SSL/TLS protocol as described in the VA411ServicePack1Readme.txt file



b) 4.10.6 - upgrade to 4.10.6 SP1 and apply he strong security options for SSL/TLS protocol as described in the VA4106ServicePack1Readme.txt file



c) 4.10.5 - Windows (32 and 64 bit builds) users could upgrade to 4.10.5 HF5, Linux and Solaris users should upgrade to 4.10.6 SP1 and follow b), however it is recommended to upgrade to 4.10.6 SP1 even on Windows.



d) 4.10 - Users should upgrade to 4.10.6 SP1 and follow b)



e) 4.9 - Users of 32 bit builds on Windows, Linux and Solaris could upgrade to 4.9 HF12 and apply manual hardening described below. Users of 64bit versions should upgrade to 4.10.6 SP1 and follow b)



Instructions to apply strong security options for SSL/TLS protocol:



  1. Place following directives in httpd.conf file under ssl section:
     SSLProtocol -ALL +TLSv1 +SSLv3
     SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
  2. Start the VA Admin server using the services panel or apachectl control script.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.