Contact Us
SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS JOBS SERVICES COMPANY HOME
Network Security Consulting Advisories Article

OpenSSL Encoded ASN.1 Data Integer Truncation Memory Corruption Vulnerability

http://www.securityfocus.com/bid/53158

Security Info

Bugtraq ID: 53158
Class: Design Error
CVE: CVE-2012-2110
Remote: Yes
Local: No
Published: Apr 19 2012 12:00AM
Updated: Apr 20 2012 06:00PM
Credit: Tavis Ormandy
Vulnerable: Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 11.10 i386
Ubuntu Ubuntu Linux 11.10 amd64
Ubuntu Ubuntu Linux 11.04 powerpc
Ubuntu Ubuntu Linux 11.04 i386
Ubuntu Ubuntu Linux 11.04 ARM
Ubuntu Ubuntu Linux 11.04 amd64
Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
OpenSSL Project OpenSSL 1.0.0h 0
OpenSSL Project OpenSSL 0.9.8u 0
OpenSSL Project OpenSSL 1.0
OpenSSL Project OpenSSL 0.9.8 k
OpenSSL Project OpenSSL 0.9.8 j
OpenSSL Project OpenSSL 0.9.8 i
OpenSSL Project OpenSSL 0.9.8 h
OpenSSL Project OpenSSL 0.9.8 e
OpenSSL Project OpenSSL 0.9.8 d
OpenSSL Project OpenSSL 0.9.8 c
OpenSSL Project OpenSSL 0.9.8 b
OpenSSL Project OpenSSL 0.9.8 a
OpenSSL Project OpenSSL 0.9.8
+ Gentoo Linux
OpenSSL Project OpenSSL 1.0.1
OpenSSL Project OpenSSL 1.0.0g
OpenSSL Project OpenSSL 1.0.0f
OpenSSL Project OpenSSL 1.0.0e
OpenSSL Project OpenSSL 1.0.0d
OpenSSL Project OpenSSL 1.0.0c
OpenSSL Project OpenSSL 1.0.0b
OpenSSL Project OpenSSL 1.0.0A
OpenSSL Project OpenSSL 0.9.8t
OpenSSL Project OpenSSL 0.9.8s
OpenSSL Project OpenSSL 0.9.8R
OpenSSL Project OpenSSL 0.9.8Q
OpenSSL Project OpenSSL 0.9.8p
OpenSSL Project OpenSSL 0.9.8p
OpenSSL Project OpenSSL 0.9.8o
OpenSSL Project OpenSSL 0.9.8O
OpenSSL Project OpenSSL 0.9.8N
OpenSSL Project OpenSSL 0.9.8n
OpenSSL Project OpenSSL 0.9.8m
OpenSSL Project OpenSSL 0.9.8M
OpenSSL Project OpenSSL 0.9.8l
OpenSSL Project OpenSSL 0.9.8g
OpenSSL Project OpenSSL 0.9.8f
OpenSSL Project OpenSSL 0.9.8 f
Mandriva Linux Mandrake 2011 x86_64
Mandriva Linux Mandrake 2011
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
Internet2 Shibboleth 2.4.3
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
Not Vulnerable: OpenSSL Project OpenSSL 1.0.1a
OpenSSL Project OpenSSL 1.0.0i
OpenSSL Project OpenSSL 0.9.8v

Security Discussion

OpenSSL is prone to a remote memory-corruption vulnerability because of integer-truncation errors.

Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will result in a denial-of-service condition.

OpenSSL versions up to and including 1.0.1 are affected.

Proof of Concept and Security Exploits

The researcher who found the issue has created a proof-of-concept. Please see the references for information.

Security Solution(s)

Solution:
Updates are available. Please see the references for more information.


Mandriva Linux Mandrake 2010.1 x86_64

MandrakeSoft Enterprise Server 5 x86_64

MandrakeSoft Enterprise Server 5

Mandriva Linux Mandrake 2010.1

Mandriva Linux Mandrake 2011 x86_64

Mandriva Linux Mandrake 2011

Security References(s)

References:

Contact Us

Security Penetration Testing

Security Questions

Security Dashboard

Emagined Security Blog featuring Dr. Eugene Schultz
Site Updated September 01, 2014
©2000-2014 Emagined Security
All Rights Reserved

Secure Web Programming
by Vizual Services