OpenSSL Malformed ASN.1 Structure Resource Consumption DoS

2006-09-28T14:34:00
ID OSVDB:29260
Type osvdb
Reporter Open Network Security(), Dr. S. N. Henson()
Modified 2006-09-28T14:34:00

Description

Vulnerability Description

OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered due to an error in processing malformed ASN.1 structures which may lead to infinite loop and consumption of memory, and will result in loss of availability for the service.

Solution Description

Upgrade to version 0.9.7l, 0.9.8d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered due to an error in processing malformed ASN.1 structures which may lead to infinite loop and consumption of memory, and will result in loss of availability for the service.

References:

Vendor Specific News/Changelog Entry: http://sourceforge.net/forum/forum.php?forum_id=617485 Vendor Specific News/Changelog Entry: http://www.serv-u.com/releasenotes/ Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227 Vendor Specific News/Changelog Entry: http://openvpn.net/changelog.html Vendor Specific News/Changelog Entry: http://www.cyberguard.info/snapgear/releases.html Vendor Specific News/Changelog Entry: http://www.ingate.com/relnote-452.php Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:22186 Secunia Advisory ID:22207 Secunia Advisory ID:22212 Secunia Advisory ID:22232 Secunia Advisory ID:22460 Secunia Advisory ID:22284 Secunia Advisory ID:22758 Secunia Advisory ID:22898 Secunia Advisory ID:22671 Secunia Advisory ID:23155 Secunia Advisory ID:23309 Secunia Advisory ID:23340 Secunia Advisory ID:24930 Secunia Advisory ID:25420 Secunia Advisory ID:22220 Secunia Advisory ID:22385 Secunia Advisory ID:22216 Secunia Advisory ID:22772 Secunia Advisory ID:22799 Secunia Advisory ID:23131 Secunia Advisory ID:23280 Secunia Advisory ID:23785 Secunia Advisory ID:26329 Secunia Advisory ID:27229 Secunia Advisory ID:22193 Secunia Advisory ID:22116 Secunia Advisory ID:22260 Secunia Advisory ID:22487 Secunia Advisory ID:22544 Secunia Advisory ID:22626 Secunia Advisory ID:23915 Secunia Advisory ID:24950 Secunia Advisory ID:27051 Secunia Advisory ID:27012 Secunia Advisory ID:27031 Secunia Advisory ID:27706 Secunia Advisory ID:22130 Secunia Advisory ID:22165 Secunia Advisory ID:22166 Secunia Advisory ID:22172 Secunia Advisory ID:22240 Secunia Advisory ID:22259 Secunia Advisory ID:22094 Secunia Advisory ID:22330 Secunia Advisory ID:22298 Secunia Advisory ID:22689 Secunia Advisory ID:23038 Secunia Advisory ID:23351 Secunia Advisory ID:23680 Secunia Advisory ID:25889 Secunia Advisory ID:27021 Related OSVDB ID: 29261 Related OSVDB ID: 29263 Related OSVDB ID: 29262 RedHat RHSA: RHSA-2006:0695 Other Advisory URL: http://www.ipcop.org/modules.php?op=modload&name=News&file=article&sid=31&mode=thread&order=0&thold=0 Other Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771 Other Advisory URL: http://lists.rpath.com/pipermail/security-announce/2007-October/000259.html Other Advisory URL: http://www.ubuntu.com/usn/usn-522-1 Other Advisory URL: http://www.trustix.org/errata/2006/0063/ Other Advisory URL: http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445&w=2 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml Other Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00967144&jumpid=reg_R1002_USEN Other Advisory URL: http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf Other Advisory URL: http://www.debian.org/security/2007/dsa-1379 Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200711-23.xml Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200610-11.xml Other Advisory URL: http://security.freebsd.org/advisories/FreeBSD-SA-07:08.openssl.asc Other Advisory URL: http://www.us.debian.org/security/2006/dsa-1185 Other Advisory URL: https://issues.rpath.com/browse/RPL-613 Other Advisory URL: http://www.novell.com/linux/security/advisories/2007_20_sr.html News Article: http://news.com.com/Apple+Mac+OS+X+patch+plugs+31+vulnerabilities/2100-1002_3-6139117.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-06/0347.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0295.html Keyword: HPSBMA02250,SSRT061275 Keyword: HPSBTU02207,SSRT061239,c00967144 CVE-2006-2937