Netscape/OpenSSL Cipher Forcing Bug (1412 Views)
Reply
Occasional Contributor
petepuma01
Posts: 3
Registered: ‎07-31-2013
Message 1 of 1 (1,412 Views)

Netscape/OpenSSL Cipher Forcing Bug

I have a large collection of HP LaserJet printers- 4000, 4100, 4200, 4300, 4345, M3027, 4101, 8150. Our new corporate parent is very strict on network security and they have installed an appliance from Qualys that scans the network for vulnerabilties. I have several related to our HP printers and I'm hoping someone can assist me in finding a way to mitigate these vulnerabilties, hopefully through modifying printer settings. I'm not overly technical so forgive me if I'm missing the obvious. I've upgraded to the latest firmware for most printers.  I'll have a few posts similar to this one, though with different issues.

 

Qualys is reporting this:

- Netscape/OpenSSL Cipher Forcing Bug

- Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is initially established, the first available cipher is used. If a session is resumed, a different cipher may be chosen if it appears in the passed cipher list before the session's current cipher. This bug can be used to change ciphers on the server.
 
OpenSSL contains this bug if the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. This option was introduced for compatibility reasons.
 
The problem arises when different applications using OpenSSL's libssl library enable all compatibility options including SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, thus enabling the bug.

- A malicious legitimate client can enforce a ciphersuite not supported by the server to be used for a session between the client and the server. This can result in disclosure of sensitive information.

- Workaround:
This problem can be fixed by disabling the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option from the options list of OpenSSL's libssl library. This can be done by replacing the SSL_OP_ALL definition in the openssl/ssl.h file with the following line:
 
define SSL_OP_ALL     (0x00000FFFL^SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
 
The library and all programs using this library need to be recompiled to ensure that the correct OpenSSL library is used during linking.
 Patch:
Following are links for downloading patches to fix the vulnerabilities:
  OpenSSL (OpenSSL) (http://www.openssl.org/source/)

 

Can anyone offer a solution to this?

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.