Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2005 > SCO Security Advisory - UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability

November 2005

SCO Security Advisory - UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability

ID: 01031
Ref: 968/2005
Date: 18 November 2005:13:43:57
Version: 1
Title: SCO Security Advisory - UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability
Abstract: A vulnerability has been found in OpenSSL which potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL.
Vendors affected: SCO
Operating systems affected: SCO
Applications affected: SCO
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability
Advisory number: SCOSA-2005.48
Issue date: 2005 November 15
Cross reference: fz533160
CVE-2005-2969
______________________________________________________________________________


1. Problem Description

A vulnerability has been found in OpenSSL which potentially
affects applications that use the SSL/TLS server implementation
provided by OpenSSL.

Such applications are affected if they use the option
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
SSL_OP_ALL, which is intended to work around various bugs in
third-party software that might prevent interoperability. The
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification
step in the SSL 2.0 server supposed to prevent active
protocol-version rollback attacks. With this verification step
disabled, an attacker acting as a "man in the middle" can force
a client and a server to negotiate the SSL 2.0 protocol even if
these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0
protocol is known to have severe cryptographic weaknesses and is
supported as a fallback only.

Applications using neither SSL_OP_MSIE_SSLV2_RSA_PADDING nor
SSL_OP_ALL are not affected. Also, applications that disable
use of SSL 2.0 are not affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-2969 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 All earlier OpenSSL distributions
UnixWare 7.1.4 All earlier OpenSSL distributions


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.3

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.48


4.2 Verification

MD5 (openssl-0.9.7i.image) = 528a4e250fe58da796bf17c71b46c48b

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download openssl-0.9.7i.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/openssl-0.9.7i.image


5. UnixWare 7.1.4

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.48


5.2 Verification

MD5 (openssl-0.9.7i.image) = 528a4e250fe58da796bf17c71b46c48b

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download openssl-0.9.7i.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/openssl-0.9.7i.image


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969
http://www.openssl.org/news/secadv_20051011.txt

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents fz533160.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDeivIaqoBO7ipriERApy+AJ9R0xNIZA4uHFvKZOmxiir77ZIFhQCggUyy
ATHvbNOkKn7sYBLOkLK1wBg=
=AX7f
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |