The OpenSSL Project today published a security advisory, that affects users of Bro that are using the X.509 certificate validation functionality of Bro. This functionality is enabled by default for cluster installations; it is not enabled by default when running Bro via the command line. Certificate validation is enabled by either loading the policy script protocols/ssl/validate-certs.bro or protocols/ssl/validate-ocsp.bro. To disable this functionality, make sure that none of these scripts are loaded in local.bro.
If certificate validation is enabled, an attacker can launch a DOS attack against a Bro installation. An attacker will be able to reliably crash all Bro nodes that use certificate validation and a vulnerable version of OpenSSL. The root cause of the OpenSSL bug is a null-pointer exception that occurs
when parsing certain malformed X.509 certificates.
The issue affects OpenSSL 1.0.1 and 1.0.2 and was fixed in OpenSSL 1.0.1q and 1.0.2e respectively. If you use Bro and perform certificate validation, you should update as soon as possible.
To test if you are vulnerable, you can use our test certificate. If executing “openssl x509 -in cve-2015-3194-test.pem -noout -text” works without crashing, you should not be vulnerable.
The original OpenSSL security advisory is available at https://www.openssl.org/news/secadv/20151203.txt. It also contains a few other issues that are not directly applicable to Bro.