OpenSSL may fail to properly parse invalid ASN.1 structures

2006-09-28T00:00:00
ID VU:247744
Type cert
Reporter CERT
Modified 2007-02-09T21:33:00

Description

Overview

A vulnerability in OpenSSL may allow an attacker to create a denial-of-service condition.

Description

OpenSSL is an Open Source toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols.

When parsing certain invalid ASN.1 structures, OpenSSL may mishandle an error condition, resulting in an infinite loop. By triggering the infinite loop, an attacker may be able to create a denial-of-service condition.


Impact

A remote, unauthenticated attacker may be able create a denial-of-service condition.


Solution

See the systems affected section of this document for information about specific vendors. Users who compile OpenSSL from source are encouraged to apply the updates listed in OpenSSL Security Advisory 20060928.


Vendor Information

247744

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Debian GNU/Linux

Updated: October 04, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00279.html> for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ FreeBSD, Inc.

Updated: September 29, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See FreeBSD Project Security Advisory <http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc> for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ OpenSSL

Updated: September 28, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.openssl.org/news/secadv_20060928.txt> for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Red Hat, Inc.

Updated: September 29, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://rhn.redhat.com/errata/RHSA-2006-0695.html> for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Ubuntu

Updated: September 28, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.ubuntu.com/usn/usn-353-1> for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.openssl.org/news/secadv_20060928.txt>
  • <http://www.openssl.org/>
  • <http://secunia.com/advisories/23131/>
  • <http://secunia.com/advisories/22544/>
  • <http://secunia.com/advisories/22385/>
  • <http://secunia.com/advisories/22671/>
  • <http://secunia.com/advisories/23155/>
  • <http://secunia.com/advisories/23340/>
  • <http://secunia.com/advisories/22094/>
  • <http://secunia.com/advisories/22259/>
  • <http://www.f-secure.com/security/fsc-2006-6.shtml>
  • <http://secunia.com/advisories/23280/>
  • <http://secunia.com/advisories/23309/>
  • <http://secunia.com/advisories/23351/>
  • <http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1>

Acknowledgements

This vulnerability was reported by the OpenSSL development team in OpenSSL Security Advisory 20060928 . The OpenSSL team, in turn, acknowledge Dr. S. N. Henson of Open Network Security and NISCC for funding the ASN.1 test suite project that lead to the discovery of this issue.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: | CVE-2006-2937
---|---
Severity Metric:** | 0.28
Date Public:
| 2006-09-28
Date First Published: | 2006-09-28
Date Last Updated: | 2007-02-09 21:33 UTC
Document Revision: | 31