OpenSSL SRTP Memory Leak and "POODLE" Vulnerability
ScaleArc is aware of the security vulnerability in OpenSSL titled SRTP Memory Leak identified on October 15, 2014. It has been determined that ScaleArc’s software appliance was not affected. However the base operating system (OS) that ScaleArc utilizes is vulnerable, and like most Linux-based systems, needs to be patched as soon as possible. Please keep reading for additional information as well as detailed steps to check for the vulnerability and apply the update to your systems.
(From RedHat Security BLOG)
Red Hat is aware of the vulnerability in CVE-2014-3566. A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
- NIST - National Vulnerability Database (CVE-2014-3566)
- RedHat CVE Database (CVE-2014-3513)
- US-CERT (notice)
Impact on your ScaleArc Deployment
DO NOT perform an update of the entire system. Instead, update ONLY the vulnerable "openssl" component (read fruther for details).
At this time, the ScaleArc Security Response Team (SRT) is not aware of any breaches to either our internal systems or any of our customers utilizing our software appliances. We do recommend that you take the following steps to secure your environment. Future build versions of the ScaleArc software will be deployed with this update already in place.
Initial Findings and Recommendation
We have found that the following simple command line test will safely demonstrate the vulnerability in your environment:
openssl s_client -connect <server>:<port> -ssl3
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
DO NOT perform an update of the entire system. Instead, update ONLY the vulnerable "openssl" component.
CentOS will be updating the yum repo in the next few days.
You can find the version of openssl running with the following command:
# yum info openssl
You can update the vulnerable openssl component using the following command:
# yum update openssl -y
The recent version that demonstrates the vulnerability is: OpenSSL 1.0.1, 1.0.0, 0.9.8
As a result of the "yum update openssl -y", the version is now: OpenSSL 1.0.1j, 1.0.0o, 0.9.8zc
If you have any questions specific to ScaleArc appliances, images, or other deployments, please contact ScaleArc Support directly using our Support Portal: https://support.scalearc.com
This Article is also available here: http://support.scalearc.com/kb/articles/700-openssl-srtp-memory-leak-and-poodle-vulnerability