Topic: Cyassl v3.3.0 CVE-2010-4180 issue

My system use Cyassl v3.3.0. I used Nessue to scan my system, the Nessue report CVE-2010-4180 issue.
How to fix this issue?

CVE-2010-4180
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a weaker cipher chosen by the attacker.

Note that other SSL implementations may also be affected by this vulnerability.

Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.

Output
•    The server allowed the following session over TLSv1 to be resumed as follows :
•   
•      Session ID     : 2deaec4a3d2421a895ca58902a0939f6f53e380bb8d75ee9cca92caf0baff871
•      Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)
•      Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Share

2 (edited by Kaleb J. Himes 2017-12-21 12:59:58)

Re: Cyassl v3.3.0 CVE-2010-4180 issue

Hi tpilouis,

Are you specifically running your scans against CyaSSL or are you scanning your entire system?

<Edited: 11:05 12/27/2017>

Warmest Regards,

Kaleb

Re: Cyassl v3.3.0 CVE-2010-4180 issue

Hi Kaleb,

Thanks For Reply. Yes, Nessue scan entire system not only scan Cyassl. My web server is yasslEWS 1.0 + Cyassl 3.3.0, which provides http (port 80) and https (port 443) services. My system does not use Openssl lib, so very strange!

I did a test today and stopped the yasslEWS 1.0 service before Nessus scanned it. The result was normal and Nessus did not report the issue CVE-2010-4180. If yasslEWS 1.0 was enabled before running Nessus, the problem reappeared. This problem always occurs on port 443.

Output
The server allowed the following session over TLSv1 to be resumed as follows :

  Session ID     : b3924b29ba55e3d4b3026fa0db05db71adb018936269ecd2b95ad00a4ce57f67
  Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)
  Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

Port                              Hosts
443 / tcp / www              192.168.7.80


My System listen port as bellow:
~ # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      329/dropbear
tcp        0      0 ::%53740:80             ::%385896:*             LISTEN      288/yasslEWS
tcp        0      0 ::%53740:22             ::%386104:*             LISTEN      329/dropbear
tcp        0      0 ::%53740:23             ::%386312:*             LISTEN      296/telnetd
tcp        0      0 ::%53740:443            ::%386520:*             LISTEN      288/yasslEWS
udp        0      0 127.0.0.1:33801         0.0.0.0:*                           290/snmpd
udp        0      0 127.0.0.1:33802         0.0.0.0:*                           336/vcm_serv
udp        0      0 127.0.0.1:33811         0.0.0.0:*                           336/vcm_serv
udp        0      0 127.0.0.1:33821         0.0.0.0:*                           313/sntp
udp        0      0 0.0.0.0:161             0.0.0.0:*                           290/snmpd
udp        0      0 127.0.0.1:33831         0.0.0.0:*                           254/appDemo
udp        0      0 ::%273664:161           ::%321022:*                         290/snmpd
~ #
~ #



Best Regards,

tpilouis

Share

Re: Cyassl v3.3.0 CVE-2010-4180 issue

Hi tpilous,

Thanks for confirming it is tracing back to CyaSSL and not some other unexpected program using OpenSSL.

Have you tested with newer versions of CyaSSL, do you experience the same issue? That version of CyaSSL is more than 3 years old at this point and even if we did ID the issue it has likely already been addressed in a newer release.

Have you considered integrating wolfSSL into your product? We just released v3.13.0 and it is available for download on our website.

Could you tell me a little about your project, why it has not been updated in so long? Is this a legacy system?


Warm Regards,

Kaleb

Re: Cyassl v3.3.0 CVE-2010-4180 issue

Hi Kaleb,
I maintain a legacy system. I think move Cyassl to wolfssl is a good way. Web server of my system need support http/https/IPv4/IPv6/cgi, which web server is a good choice? Wolfssl v3.13.0 cannot support yasslEWS 1.0 right?
Wolfssl v3.13.0 can support mongoose server?

Best Regards

tpilouis

Share