OpenSSL ASN.1 Client Certificate Double-free

2003-07-14T00:00:00
ID OSVDB:3684
Type osvdb
Reporter Dr. Stephen Henson(steve@openssl.org)
Modified 2003-07-14T00:00:00

Description

Vulnerability Description

A double-free memory allocation error allows remote attackers to cause a denial of service (crash) and may allow the execution of arbitrary code via an SSL client certificate with crafted invalid ASN.1 encoding.

Technical Description

When dealing with SSL client certificates, some ASN.1 encodings which are rejected as invalid by the parser can trigger a double-free bug in the deallocation of the corresponding data structure, thereby corrupting the stack. OpenSSL 0.9.6 and prior are not affected by this bug. There is a very small chance this could be used for remote code execution, but it has not been demonstrated or confirmed.

Solution Description

Upgrade to version 0.9.7c or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A double-free memory allocation error allows remote attackers to cause a denial of service (crash) and may allow the execution of arbitrary code via an SSL client certificate with crafted invalid ASN.1 encoding.

References:

Vendor Specific News/Changelog Entry: http://www.ingate.com/relnote-331.php Vendor Specific News/Changelog Entry: http://www.cyberguard.info/snapgear/releases.html Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:10863 Secunia Advisory ID:10487 Secunia Advisory ID:9887 Secunia Advisory ID:22249 Secunia Advisory ID:11697 Other Advisory URL: http://www.bluecoat.com/support/knowledge/advisory_openSSL_ASN_vulnerability.html Other Advisory URL: http://www.tarantella.com/security/bulletin-08.html Other Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57475 Other Advisory URL: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm Other Advisory URL: http://www.ingate.com/relnote-331.php Other Advisory URL: http://www.stonesoft.com/document/art/3040.html Other Advisory URL: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893 Other Advisory URL: http://www.smoothwall.org/home/news/item/20031001.01.html Other Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57444 Other Advisory URL: http://www.debian.org/security/2003/dsa-394 Other Advisory URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57498 Nessus Plugin ID:11875 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-10/0342.html ISS X-Force ID: 13322 ISS X-Force ID: 13315 CVE-2003-0545 CERT: CA-2003-26