Bookmark and Share
RSS

Recent Posts

OpenSSL, Sendmail and the LOGJAM Vulnerability

August 12, 2015

In my last blog, I wrote about keeping OpenSSL current via the webpacks. In part, that's because OpenSSL is something to blog about. Please note that there are really important CVEs to be patched - but if you look at the recent Java patches - patches are also needed to fix the following OpenSSL related CVEs:
 
(Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect AIX (CVE-2015-2638 CVE-2015-4733 CVE-2015-4732 CVE-2015-2590 CVE-2015-4731 CVE-2015-4760 CVE-2015-4736 CVE-2015-4748 CVE-2015-2664 CVE-2015-2632 CVE-2015-2637 CVE-2015-2619 CVE-2015-2621 CVE-2015-2613 CVE-2015-2601 CVE-2015-4749 CVE-2015-4729 CVE-2015-2625 CVE-2015-1931)
 
That list makes it obvious that the fileset openssl.base is not being used by a lot of software - and I have no idea what else, but for those at risk it's important. See ftp://aix.software.ibm.com/aix/efixes/security/java_july2015_advisory.asc for the full advisory.
 
More to the point, until today I was beginning to think that only AIX's packaging of openssh used the openssl.base library. But there is something else! So is sendmail, or more specifically the sendmail binary that supports STARTTLS depends on /usr/lib/libssl.a - which, normally, is supplied as one of the
files in openssl.base.
 
The full advisory link is coming, but basically, this is about fixing sendmail so that it's not exposed to the so-called LOGJAM - or Vulnerability in Diffie-Hellman ciphers.
 
This is fixed in openssl but only if the application is linked to the libssl.so.1.0.0 (or later) rather than against openssl.so.0.9.8 BECAUSE openssl will never be able to support TLSv1.2.
 
Quick check for vunerability
root@x071:[/home/michael]ldd /usr/sbin/sendmail_ssl  
/usr/sbin/sendmail_ssl needs:
         /usr/lib/libc.a(shr.o)
         /usr/lib/libpthreads.a(shr_xpg5.o)
         /usr/lib/libnsl.a(shr.o)
         /usr/lib/libssl.a(libssl.so.0.9.8)
         /usr/lib/libcrypto.a(libcrypto.so.0.9.8)
         /usr/lib/libsrc.a(shr.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)
         /usr/lib/libpthreads.a(shr_comm.o)
         /usr/lib/libthread.a(shr.o)
         /usr/lib/libpthreads_compat.a(shr.o)
         /usr/lib/libtli.a(shr.o)
         /usr/lib/libodm.a(shr.o)
         /usr/lib/libpthreads.a(shr.o)
         /usr/lib/libc.a(pse.o)
 
If you see libssl.so.0.9.8 and libcrypto.so.0.9.8, you are at risk IF you have configured your system to use STARTTLS feature. If you have not configured STARTTLS, you're not at risk for LOGJAM, or any other crypto related attack - because all your mail is "in the clear" anyway.
 
So, if you're wondering about your security of sendmail and TLS then check out the security advisory at:



 

Posted August 12, 2015 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus