Summary

Two SSL vulnerabilites that can be exploited to create denial-of-service affect certain BoKS binaries

Issue

Two SSL vulnerabilities have been discovered in OpenSSL 1.0.1-1.0.1e.

  • CVE-2013-6449 - Affecting SSL server implementations.
  • CVE-2013-4353 - Affecting SSL client implementations.

The effect of both vulnerabilities is that they can cause the application to crash and thus open up for a Denial-Of-Service attack, but not to gain access to the system. Below follows a list of affected BoKS applications and an indication of whether the application runs on BoKS Master, Replica and/or Client.

SSL server applications

-----------------------

$BOKS_lib/httpsrv (M) - Old BoKS GUI

$BOKS_lib/boks_bccas (M) - Administration server

$BOKS_lib/boks_autoregisterd (M) - Client auto-registration service

$BOKS_lib/boks_pwmd (M) - Optional extension package

$BOKS_lib/boks_csspd (M/R) - BoKS Desktop authentication

$BOKS_lib/boks_sslproxy (M/R/C) - BoKS Desktop telnet proxy

SSL client applications

-----------------------

$BOKS_sbin/adgroup (M) - AD Bridge administration

$BOKS_lib/ldapsearch (M) - adsync, ldapusersync

$BOKS_lib/ldapmodify (M) - currently not used

$BOKS_lib/crldownload_ldap (M) - CRL download

$BOKS_lib/curl (M) - CRL download

$BOKS_lib/ems/modules/emsldap (M) - Event system LDAP connector

$BOKS_lib/auth/modules/hpsaauth (M/R) - BoKS Desktop external auth

$BOKS_lib/auth/modules/ldapauth (M/R) - BoKS Desktop external auth

$BOKS_sbin/adjoin (M/R/C) - AD membership administration

$BOKS_lib/boks_safeword (M/R/C) - BoKS safeword auth

$BOKS_lib/ldapauth (M/R/C) - BoKS LDAP auth

$BOKS_lib/boks_autoregister (M/R/C) - Client auto-registration

Resolution / Workaround

The above vulnerabilities have been fixed in hotfix HFBM-0039-1, but Fox Technologies recommends installing the superseding
hotfix HFBM-0043-1 which also addresses another OpenSSL vulnerability, CVE-2014-0160 (aka Heartbleed).

Install the hotfix HFBM-0043-1, available from the HelpSystems Community Portal.

The hotfix includes replacement binaries built with OpenSSL 1.0.1g where the vulnerabilites have been fixed.

Some of the binaries are dynamically linked against OpenSSL and in these cases it is actually the OpenSSL shared library that is replaced instead of the application binary.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018