ClearOS Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


CVE 2018-0732

'During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).'

ClearCenter response

This issue affects ClearOS 7 and ClearOS 6.

Short response

The limit to this attack is that an attacker can cause the system to hang while a key is being generated. In a coordinated attack, this could be used to cause a denial of service. ClearCenter plans on implementing the upstream fix for this for ClearOS 7 once available upstream or if upstream is too slow in generating a timely repair and this exploit becomes weaponized. A fix for ClearOS 6 is not scheduled.

Long response

The limit to this attack is that an attacker can cause the system to hang while a key is being generated. In a coordinated attack, this could be used to cause a denial of service. ClearCenter plans on implementing the upstream fix for this for ClearOS 7 once available upstream or if upstream is too slow in generating a timely repair and this exploit becomes weaponized. A fix is known to exist in 'OpenSSL 1.1.0i-dev' and later. The production open source version was released on 11 Sep 2018 and is being evaluated for suitability at this time and should be available in a forthcoming patch. A fix for ClearOS 6 is not scheduled.

Resolution

The resolution to this problem for ClearOS 7 is pending. This will likely not be fixed in ClearOS 6.

For users of ClearOS 7, please monitor your servers and look for sudden increases in CPU load if you use TLS-based encryption on external-global ports. Block IP addresses involved in hung connections to public-facing IPs due to high, invoked openssl processes.

content/en_us/announcements_cve_cve-2018-0732.txt · Last modified: 2018/10/01 06:45 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Aannouncements_cve_cve-2018-0732&1558446663