Re: IPS Signature for CVE-2017-3737

Olga_Kuts · ‎2018-08-16

Hello!

Is it planned to releaze an IPS signature for CVE-2017-3737?

G_W_Albrecht · ‎2018-08-16

I wonder why not just patch the OpenSSL version or the Debian Linux 9.0 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Olga_Kuts · ‎2018-08-16

This is more logical) but the customer does not always understand this.

G_W_Albrecht · ‎2018-08-16

Yes, i know of such things .

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2018-08-16

As i have understood the CVE, some malicios app in the internet:

- starts an SSL handshake with the target OpenSSL

- fatal error will be returned in the initial function call by the target OpenSSL

- SSL_read()/SSL_write() is subsequently called by the malicios application for the same SSL object

- then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer

The possibilty for IPS is to either filter direct calls to SSL_read()/SSL_write() (this might lead to issues with software using them) or suppress the fatal error (also not a behaviour that is wanted).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2018-08-16

To the best of my knowledge, there isn't any information about how this particular issue can be exploited.

This makes it tough to develop an IPS signature for it.

G_W_Albrecht · ‎2018-08-17

CP has its own sk92447 Status of OpenSSL CVEs that does not list this CVE - and the command for checking OpenSSL version by rpm returns nothing on R80.10: # rpm -qa | grep openssl

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

IPS Signature for CVE-2017-3737