[sisyphus] OpenSSL overflow

Slava Dubrovskiy slava на tangramltd.com
Пн Май 25 16:56:31 MSD 2009


Здравствуйте

Использую бранч 5.0
Банк требует прохождение сервером теста https://www.hackerguardian.com

При тестировании получаю:


Security hole found on port/service "https (443/tcp)"

     Plugin      "OpenSSL overflow (generic test)"

     Category      "Gain a shell remotely "

     Priority      "Medium Priority "The remote host seems to be using a 
version of OpenSSL which is older than 0.9.6e or 0.9.7-beta3  This 
version is vulnerable to a buffer overflow which, may allow an attacker 
to obtain a shell on this host.  *** Note that since safe checks are 
enabled, this check  *** might be fooled by non-openssl implementations 
and *** produce a false positive. *** In doubt, re-execute the scan 
without the safe checks

        Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer

        Risk factor : High

    CVE:     CVE-2002-0656     
http://cgi.nessus.org/cve.php3?cve=CVE-2002-0656
     CVE-2002-0655     http://cgi.nessus.org/cve.php3?cve=CVE-2002-0655
     CVE-2002-0657     http://cgi.nessus.org/cve.php3?cve=CVE-2002-0657
     CVE-2002-0659     http://cgi.nessus.org/cve.php3?cve=CVE-2002-0659
     CVE-2001-1141     http://cgi.nessus.org/cve.php3?cve=CVE-2001-1141
     BID : 3004, 5361, 5362, 5363, 5364, 5366 Other references : 
IAVA:2002-a-0004, OSVDB:853, OSVDB:857, OSVDB:3940, OSVDB:3941, 
OSVDB:3942, OSVDB:3943, SuSE:SUSE-SA:2002:033


Естественно что на сервере:

# rpm -qa | grep -i ssl
libssl7-0.9.8j-alt1
openssl-0.9.8j-alt1


Вопрос: Это ошибка теста, или эта уязвимость действительно существует?
Как проверить и доказать что уязвимости нет?

-- 
WBR,
Dubrovskiy Vyacheslav

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3262 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.altlinux.org/pipermail/sisyphus/attachments/20090525/bd742866/attachment.bin>


Подробная информация о списке рассылки Sisyphus