The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability 

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity of this bulletin: 3/4.
Creation date: 19/04/2012.
Références of this threat: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability 

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability note impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX.

Our Vigil@nce team determined that the severity of this computer vulnerability announce is important.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this cybersecurity announce.

Solutions for this threat 

OpenSSL: version 1.0.1a.
The version 1.0.1a is corrected:
  http://www.openssl.org/

OpenSSL: version 1.0.0i.
The version 1.0.0i is corrected:
  http://www.openssl.org/

OpenSSL: version 0.9.8v.
The version 0.9.8v is partially corrected:
  http://www.openssl.org/
The version 0.9.8w is corrected:
  VIGILANCE-SOL-26091

AIX: OpenSSL version 0.9.8.1802.
OpenSSL version 0.9.8.1802 is corrected:
  https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp
OpenSSH version 5.8.0.6102 is available.

Debian: new openssl packages.
New packages are available:
  openssl 0.9.8o-4squeeze11

F5 BIG-IP: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Fedora: new openssl packages.
New packages are available:
  openssl-1.0.0i-1.fc15
  openssl-1.0.0i-1.fc16

FreeBSD: patch for OpenSSL.
A patch is available:
  http://security.FreeBSD.org/patches/SA-12:01/openssl.patch
A patch is available to correct a regression:
  http://security.FreeBSD.org/patches/SA-12:01/openssl-sgc-fix.patch

HP-UX: OpenSSL version A.00.09.08w.
OpenSSL version A.00.09.08w is corrected:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

IBM Tivoli Workload Scheduler: solution for OpenSSL.
The solution is indicated in information sources.

JBoss Enterprise Application, Web: update for openssl.
An update is available:
JBoss Enterprise Application Platform 5.1.2 :
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2
JBoss Enterprise Application Platform 6.0.0 :
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.0.0
JBoss Enterprise Web Server 1.0.2 :
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

Juniper IVE OS: version 7.1r10.
The version 7.1r10 is corrected:
  http://support.juniper.net/

Juniper IVE OS: version 7.2r3.
The version 7.2r3 is corrected:
  http://support.juniper.net/

Juniper SBR: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Junos Space: version 14.1R1.
The version 14.1R1 is fixed:
  http://www.juniper.net/support/downloads/?p=space#sw

Mandriva: new openssl packages.
New packages are available:
  openssl0.9.8-0.9.8v-0.1mdv2010.2
  openssl-1.0.0a-1.12mdv2010.2
  openssl-1.0.0d-2.5-mdv2011.0
  openssl-0.9.8h-3.15mdvmes5.2

NetBSD: patch for OpenSSL DER.
A patch is available in information sources.

NetBSD: version 5.1.3.
The version 5.1.3 is fixed:
  http://www.NetBSD.org/mirrors/

OpenBSD: patch for libcrypto.
A patch is available:
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.0/common/002_libcrypto.patch
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.1/common/001_libcrypto.patch

OpenBSD: version 5.2.
The version 5.2 is corrected:
  http://www.OpenBSD.org/

openSUSE: new openssl packages (25/02/2013).
New packages are available:
  openSUSE 11.4 : openssl-1.0.0k-18.45.1
  openSUSE 12.1 : openssl-1.0.0k-34.20.1
  openSUSE 12.2 : openssl-1.0.1e-2.8.1

RHEL: new openssl packages.
New packages are available:
  openssl-0.9.7a-33.28 (RHEL 3)
  openssl-0.9.7a-43.20.el4 (RHEL 4)
  openssl-0.9.8e-7.el5_3.2
  openssl-0.9.8e-12.el5_6.9
  openssl-0.9.8e-22.el5_8.3
  openssl-1.0.0-4.el6_0.3
  openssl-1.0.0-10.el6_1.6
  openssl-1.0.0-20.el6_2.4

ScreenOS: version 5.4.0r27.
The version 5.4.0r27 is fixed:
  http://www.juniper.net/

ScreenOS: version 6.2.0r16.
The version 6.2.0r16 is fixed:
  http://www.juniper.net/

ScreenOS: version 6.3.0r13.
The version 6.3.0r13 is fixed:
  http://www.juniper.net/

Solaris 10: patch for OpenSSL.
A patch is available:
  SPARC: 147159-05 147707-06
  X86: 146672-07

Solaris 11: patch 11/11 SRU 8.5.
A patch is available:
  https://support.oracle.com/CSP/main/article?type=NOT&id=1470139.1

SUSE LE: new compat-openssl097g packages.
New packages are available:
  SUSE LE 10 : compat-openssl097g-0.9.7g-13.23.1
  SUSE LE 11 : compat-openssl097g-0.9.7g-146.22.1

SUSE LE: new openssl packages.
New packages are available:
  SUSE LE 10 : openssl-0.9.8a-18.68.1
  SUSE LE 11 : openssl-0.9.8j-0.36.1

VMware ESX 3.5: patch ESX350-201302401-SG.
A patch is available:
  http://kb.vmware.com/kb/2042541

VMware ESX 4.0: patch ESX400-201209001.
A patch is available:
  ESX400-201209001
  http://kb.vmware.com/kb/2019661

VMware ESX: version 4.1 Update 3.
The version 4.1 Update 3 is corrected:
  http://kb.vmware.com/kb/2020362
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities patch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.