Stonesoft Corp. Security Advisory

Date: July 31th, 2002
Title: OpenSSL Vulnerability
Refs:
CVE candidate: CAN-2002-0655 CAN-2002-0656 CAN-2002-0657
Cert: CA-2002-23
Debian: DSA-136-1

The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

1. Overview

OpenSSL team announced 30th July 2002 that OpenSSL software version 0.9.6d and earlier contain potentially expoitable remote buffer overflow vulnerability. On the same day OpenSSL 0.9.6e was released that fixes those potential vulnerabilities.

2. StoneGate

StoneGate firewall engines use OpenSSL library for their management connections. However, in StoneGate these connections only use TLS part of OpenSSL libraries. The OpenSSL advisory suggests that the most severe problems are in the SSLv2 and SSLv3 protocols. Because StoneSoft wants to ensure best possible security for their customers, a patch that updates OpenSSL libraries to the fixed versions is made available.

All StoneGate engine versions up to 1.7.3 (including) are potentially vulnerable. A patch is made available for StoneGate engine versions 1.x that fixes this potential vulnerability.

To obtain and install the patch:

1. Go to ftp://ftp.stonesoft.com/web/Support/StoneGate/Patches/1.7/

2. For Intel platforms download the package ssl-patch.stonegate-1.7-i386.deb
For Sparc platforms download the package ssl-patch.stonegate-1.7-sparc.deb

This patch is applicable to all StoneGate engine 1.x versions.

3. Transfer the package file to the firewall nodes.

4. On a command line as root on each node run: dpkg -i ssl-patch.stonegate-1.7-i386.deb (for Intel platforms) and dpkg -i ssl-patch.stonegate-1.7-sparc.deb (for Sparc platforms)

5. Reboot the machine

StoneGate management system is not affected by the above described potential vulnerability, because StoneGate management uses a Java implementation of the SSL library.

3. StoneBeat

StoneBeat HA does not use OpenSSL.

All StoneBeat clustering products use SSLv3 for control connections.

All SSL encrypted control communications are passed between the management system using the control network, TCP port number 3002.
Communication to StoneBeat control ports should be limited to minimum in a firewall rulebase or by using a secure control interface
between the cluster nodes and management system. A secure interface means a network which is not accessible from any networks that can be considered as possible source of malicious operations.

There will be a patch for all products in a timely manner. The patches will be available at http://www.stonesoft.com/download/.

4. ServerCluster

ServerCluster use SSLv3 for control connections.

All SSL encrypted control communications are passed between the management system using the control network, TCP port number 3002.
Communication to ServerCluster control ports should be limited to minimum in a firewall rulebase or by using a secure control interface
between the cluster nodes and management system. A secure interface means a network which is not accessible from any networks that can be considered as possible source of malicious operations.

There will be a patch for all products in a timely manner. The patches will be available at http://www.stonesoft.com/download/.

5. Appendices

Stonesoft Security Analysis Group's PGP key is available at:
ftp://download.stonesoft.com/web/Support/Stonesoft Security Alert.asc

To report or inquire about a security problem with Stonesoft software, contact one or more of the following:

* Stonesoft support
* Stonesoft Security Analysis Group. Send email to: security-alert@stonesoft.com

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.