openssl upgrade CVE-2020-1967

[Joseph Reynolds]

On 5/7/20 2:43 AM, chunhui.jia wrote:
> Brad,
> There is a CVE reported in openSSL 1.1.1d (used by current openbmc).  
> Severity is high.
>
> CVE-2020-1967 <https://nvd.nist.gov/vuln/detail/CVE-2020-1967> 
> https://nvd.nist.gov/vuln/detail/CVE-2020-1967
> Server or client applications that call the SSL_check_chain() function 
> during or after a TLS 1.3 handshake may crash due to a NULL pointer 
> dereference as a result of incorrect handling of the 
> "signature_algorithms_cert" TLS extension. The crash occurs if an 
> invalid or unrecognised signature algorithm is received from the peer. 
> This could be exploited by a malicious peer in a Denial of Service 
> attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by 
> this issue. This issue did not affect OpenSSL versions prior to 
> 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).
>

Thanks for reporting this.  According to OpenBMC network security 
considerations [1], SSL (and specifically OpenSSL) is used in two 
places: the dropbear SSH server [2] and the BMCWeb HTTPS server [3].   I 
don't see any references to the defective function (SSL_check_chain) in 
those code bases or in any other OpenBMC code. I've CC'd the BMCWeb 
maintainers to help check this.  If that is all true, the OpenBMC is not 
affected.

I believe Brad plans to update OpenBMC to the Yocto Dunfell 3.1 release 
[4] which does use OpenSSL 1.1.1g [5].

- Joseph

[1]: 
https://github.com/openbmc/docs/blob/master/security/network-security-considerations.md
[2]: https://github.com/mkj/dropbear
[3]: https://github.com/openbmc/bmcweb
[4]: https://wiki.yoctoproject.org/wiki/Releases
[5]: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/tree/meta/recipes-connectivity/openssl?h=dunfell

> It is fixed in 1.1.1g.  Upstream recipe already point openssl to 
> latest version (1.1.1g).
> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
> Will you update poky subtree to latest?