CERTVU:396440MatrixSSL contains multiple vulnerabilities
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.035 Low
EPSS
Percentile
91.5%
Overview
MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities.
Description
CWE-122: Heap-based Buffer Overflow - CVE-2016-6890
The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution.
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-6891
The ASN.1 Bit Field is not properly parsed. A specially crafted certificate may lead to a denial of service condition due to an out of bounds read in memory.
CWE-590: Free of Memory not on the Heap - CVE-2016-6892
The x509FreeExtensions() function does not properly parse X.509 certificates. A specially crafted certificate may cause a free operation on unallocated memory, resulting in a denial of service condition.
The CVSS score below describes CVE-2016-6890. For more information about these vulnerabilities, contact the vendor at [email protected] or refer to the vendor release notes and the researcher’s blog.
Impact
By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack.
Solution
Apply an update
The vendor has released version 3.8.6 to address these issues. Developers of embedded devices using MatrixSSL should provide firmware updates implementing the fix. Users in general should update to the latest release.
Vendor Information
396440
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
MatrixSSL __ Affected
Notified: August 26, 2016 Updated: October 11, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
MatrixSSL versions 3.8.5 and earlier are affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23396440 Feedback>).
CoreOS __ Not Affected
Notified: October 11, 2016 Updated: October 13, 2016
Statement Date: October 11, 2016
Status
Not Affected
Vendor Statement
CoreOS Linux is not affected by this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Lenovo __ Not Affected
Notified: October 11, 2016 Updated: October 14, 2016
Statement Date: October 13, 2016
Status
Not Affected
Vendor Statement
Lenovo is not affected by this issue.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arista Networks, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Aruba Networks Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Barracuda Networks Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Blue Coat Systems Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Brocade Communication Systems Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CMX Systems Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Contiki OS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Debian GNU/Linux Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EfficientIP SAS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
European Registry for Internet Domains Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fortinet, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Foundry Brocade Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
FreeBSD Project Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
GNU adns Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
GNU glibc Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett Packard Enterprise Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium - DHCP Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
JH Software Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Lynx Software Technologies Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microchip Technology Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsoft Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NLnet Labs Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nominum Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenDNS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oracle Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oryx Embedded Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PowerDNS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Quadros Systems Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Red Hat, Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Rocket RTOS Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Secure64 Software Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TCPWave Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Tizen Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
WizNET Technology Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Xilinx Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Zephyr Project Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
dnsmasq Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
gdnsd Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: October 11, 2016 Updated: October 11, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
View all 100 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 7.8 | E:POC/RL:OF/RC:C |
| Environmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <https://github.com/matrixssl/matrixssl/blob/master/CHANGES.md>
- <http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/flawed-matrixssl-code-highlights-need-for-better-iot-update-practices/>
- <http://www.matrixssl.org/blog/releases/matrixssl_3_8_6>
- <https://cwe.mitre.org/data/definitions/122.html>
- <https://cwe.mitre.org/data/definitions/119.html>
- <https://cwe.mitre.org/data/definitions/590.html>
Acknowledgements
Thanks to Craig Young of Tripwire for reporting these vulnerabilities.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-6890, CVE-2016-6891, CVE-2016-6892 |
|---|---|
| Date Public: | 2016-10-10 Date First Published: |
References
www.matrixssl.org/blog/releases/matrixssl_3_8_6
www.tripwire.com/state-of-security/security-data-protection/cyber-security/flawed-matrixssl-code-highlights-need-for-better-iot-update-practices/
cwe.mitre.org/data/definitions/119.html
cwe.mitre.org/data/definitions/122.html
cwe.mitre.org/data/definitions/590.html
github.com/matrixssl/matrixssl/blob/master/CHANGES.md
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.035 Low
EPSS
Percentile
91.5%