A denial of service exploit for OpenSSL was announced recently.  We verified that the vulnerability does propagate into Bro and has the same affect in Bro as in other software that uses OpenSSL.  If a Bro process sees a certificate that is mangled in the way described in the announcement it will pass the certificate to OpenSSL and it causes the Bro process to lock up and have high CPU utilization.

Everyone is going to want to upgrade OpenSSL on their Bro devices as soon as possible.  This is easy to exploit since X.509 certificate parsing happens in a number of places in Bro and a usable proof of concept certificate was released with the announcement.

In the event that you are unable to upgrade OpenSSL on your installation immediately, we have a script that can be used to disable X509 certificate handling on Bro.  It is a stopgap measure and should only be used temporarily due to the fact that any analysis being performed that relied on certificate parsing will be broken.  It will make your installation avoid the DoS though.

The short and simple script can be downloaded here: https://gist.github.com/sethhall/68048fe95c0c10966ddf

Good luck, and reach out to us on the Bro mailing list if you have any trouble.

Update #1. RedHat has pointed out that their distributions and derivatives don’t have this problem because of their compile options.  The RedHat notification: https://access.redhat.com/security/cve/CVE-2015-1788

Update #2.  The script to compensate for the problem has been updated and should now support 2.3 as well as 2.4 (including the brief file api that existed during the development cycle but was changed before the release).  We’ve only validated the problem on 2.3 and 2.4 and generally recommend that everyone runs nothing older than those two release series as a general rule.

%d