Tuesday, June 16, 2015

OpenSSL Denial of Service Impacting Bro - CVE-2015-1788

A denial of service exploit for OpenSSL was announced recently.  We verified that the vulnerability does propagate into Bro and has the same affect in Bro as in other software that uses OpenSSL.  If a Bro process sees a certificate that is mangled in the way described in the announcement it will pass the certificate to OpenSSL and it causes the Bro process to lock up and have high CPU utilization.

Everyone is going to want to upgrade OpenSSL on their Bro devices as soon as possible.  This is easy to exploit since X.509 certificate parsing happens in a number of places in Bro and a usable proof of concept certificate was released with the announcement.

In the event that you are unable to upgrade OpenSSL on your installation immediately, we have a script that can be used to disable X509 certificate handling on Bro.  It is a stopgap measure and should only be used temporarily due to the fact that any analysis being performed that relied on certificate parsing will be broken.  It will make your installation avoid the DoS though.

The short and simple script can be downloaded here: https://gist.github.com/sethhall/68048fe95c0c10966ddf

Good luck, and reach out to us on the Bro mailing list if you have any trouble.

Update #1. RedHat has pointed out that their distributions and derivatives don't have this problem because of their compile options.  The RedHat notification: https://access.redhat.com/security/cve/CVE-2015-1788

Update #2.  The script to compensate for the problem has been updated and should now support 2.3 as well as 2.4 (including the brief file api that existed during the development cycle but was changed before the release).  We've only validated the problem on 2.3 and 2.4 and generally recommend that everyone runs nothing older than those two release series as a general rule.

Tuesday, June 9, 2015

Bro 2.4 released

We are happy to announce that Bro 2.4 has been released and is available for download. For a brief overview of the new features, please look at our blog post of the 2.4 beta. Since the beta, there were a few small bugfixes and further documentation updates.

See NEWS for the release notes and CHANGES for the exhaustive list of changes.

Feedback is encouraged and should be sent to the Bro mailing list.

We extend sincere thanks to all who have helped make this release possible, especially those members of the community who have given us their feedback and support.

The Bro Team