Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

OpenSSL 1.0.2 and 1.0.1 Multiple Vulnerabilities Sep 16 (Windows)

Information

Severity

Severity

High

Family

Family

Denial of Service

CVSSv2 Base

CVSSv2 Base

7.5

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

6 years ago

Modified

Modified

3 years ago

Summary

This host is running OpenSSL and is prone to multiple vulnerabilities.

Insight

Insight

OpenSSL suffers from the possibility of multiple vulnerabilities due to: 1) Missing message length checks which results in Out of Bounds reads up to 2 bytes beyond the allocated buffer, this leads to Denial of Service. The attack works only if client authentication is enabled. 2) Calling MDC2_Update() can cause an overflow if an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. 3) A malfored SHA512 TLS session ticket resulting in an Out of Bounds read which leads to service crash. 4) Unchecking the return value of BN_div_word() function causing an Out of Bounds write if it is used with an overly large BIGNUM. TLS is not affected. 5) Misusing OBJ_obj2txt() function by the function TS_OBJ_print_bio() will results in Out of Bounds reads when large OIDs are presented. 6) DTLS out-of-order messages handling which enable an attacker to cause a DoS attack through memory exhaustion. 7) A flaw in the DTLS replay attack protection mechanism enabling the attacker to send records for next epochs with a very large sequence number, this causes in dropping all the subsequent legitimate packets and causing a denial of service for a specific DTLS connection.

Affected Software

Affected Software

OpenSSL 1.0.2 and 1.0.1.

Solution

Solution

OpenSSL 1.0.2 users should upgrade to 1.0.2i, OpenSSL 1.0.1 users should upgrade to 1.0.1u