OpenSSL security issue affecting Bro

Hello,

The OpenSSL Project today published a security advisory, that affects
users of Bro that are using the X.509 certificate validation functionality
of Bro. Note that this functionality is not enabled by default - typically
it is enabled by either loading the policy script
protocols/ssl/validate-certs.bro or protocols/ssl/validate-ocsp.bro.

The OpenSSL bug can cause a null-pointer exception when parsing certain
malformed X.509 certificates and can potentially be used for DOS attacks.

The issue affects OpenSSL 1.0.1 and 1.0.2 and was fixed in OpenSSL 1.0.1q
and 1.0.2e respectively. If you use Bro and perform certificate
validation, you should update as soon as possible.

The original OpenSSL security advisory is available at
https://www.openssl.org/news/secadv/20151203.txt. It also contains a few
other issues that are not directly applicable to Bro.

Johanna

I think the main distro’s are not ready yet! Just got :
jessie/main openssl amd64 1.0.1k-3+deb8u1
q is still in testing.

Hi Daniel,

Hello,

we just posted an updated blog post describing the problem to
http://blog.bro.org/2015/12/openssl-security-issue-affecting-bro.html.

Please note, that different from the original descriptions, default
installations of Bro that use broctl are vulnerable; a quick fix is to not
load protocols/ssl/validate-certs.bro in local.bro.

The blog post also contains instructions on how to test if your local
openssl installation is vulnerable.

Johanna

Hi Johanna,

My latest docker project has been fixed for this. I tried your test before
and after the update en can confirm it works on debian.

Thanx