Vulnerability in OpenSSL - SRTP Memory Leak

A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server...

Vulnerability in OpenSSL CVE-2010-0740

In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL. Found by Bodo Moeller and Adam Langley Google...

Vulnerability in OpenSSL - Resource leakage when decoding certificates and keys

The OPENSSLLHflush function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will...

Vulnerability in OpenSSL - OOB write in MDC2_Update()

An overflow can occur in MDC2Update either if called directly or through the EVPDigestUpdate function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap...

Vulnerability in OpenSSL - Bleichenbacher oracle in SSLv2

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a...

Vulnerability in OpenSSL - DH small subgroups

Historically OpenSSL usually only ever generated DH parameters based on “safe” primes. More recently in version 1.0.2 support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be “safe”. Where an application ...

Vulnerability in OpenSSL - DoS via reachable assert in SSLv2 servers

DoS via reachable assert in SSLv2 servers. A malicious client can trigger an OPENSSLassert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. Found by Sean Burford Google and Emilia Käsper OpenSSL development team...

Vulnerability in OpenSSL - ASN.1 structure reuse memory corruption

ASN.1 structure reuse memory corruption. Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Found by Emilia Käsper OpenSSL development team...

Vulnerability in OpenSSL - Build option no-ssl3 is incomplete

When OpenSSL is configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. Found by Akamai Technologies...

Vulnerability in OpenSSL - OpenSSL TLS protocol downgrade attack

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher...

Vulnerability in OpenSSL - Heap memory corruption with RSA private key operation

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X8664 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a...

Vulnerability in OpenSSL - ASN.1 BIO excessive memory allocation

When ASN.1 data is read from a BIO using functions such as d2iCMSbio a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. Any application parsing untrusted data through d2i BIO functions is affected. The memory...

Vulnerability in OpenSSL - Memory leak in SRP database lookups

The SRP user database lookup method SRPVBASEgetbyuser had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret...

Vulnerability in OpenSSL - X509_ATTRIBUTE memory leak

When presented with a malformed X509ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS7 and CMS routines so any application which reads PKCS7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. Found by Adam Langley Google/BoringSSL using libFuzz...

Vulnerability in OpenSSL - Certificate verify crash with missing PSS parameter

The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any...

Vulnerability in OpenSSL - Invalid TLS/DTLS record attack

An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled TLS 1.1, TLS 1.2, and DTLS Datagram Transport Layer Security application data record lengths when using a block cipher in CBC cipher-block chaining mode. A malicious TLS 1.1, TLS 1.2, or DTLS client or...

Vulnerability in OpenSSL - Invalid certificate policies in leaf certificates are silently ignored

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that...

Vulnerability in OpenSSL - Missing CRL sanity check

This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016. A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. Found by Bruce...

Vulnerability in OpenSSL - Incorrect MAC key used in the RC4-MD5 ciphersuite

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipie...

Vulnerability in OpenSSL - BN_mod_exp may produce incorrect results on x86_64

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible...

Vulnerability in OpenSSL - Use After Free following d2i_ECPrivatekey error

Use After Free following d2iECPrivatekey error. A malformed EC private key file consumed via the d2iECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions such as d2iPrivateKey or EVPPKCS82PKEY and could lead...

Vulnerability in OpenSSL CVE-2014-0076

Fix for the attack described in the paper “Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”. Found by Yuval Yarom and Naomi Benger...

Vulnerability in OpenSSL - Excessive time spent checking DH q parameter value

Issue summary : Checking excessively long DH keys or parameters may be very slow. Impact summary : Applications that use the functions DHcheck, DHcheckex or EVPPKEYparamcheck to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have bee...

Vulnerability in OpenSSL - AES-SIV implementation ignores empty associated data entries

Issue summary : The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary : Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be...

Vulnerability in OpenSSL - NULL dereference validating DSA public key

An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVPPKEYpubliccheck function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allo...

Vulnerability in OpenSSL - Using a Custom Cipher with NID_undef may lead to NULL encryption

OpenSSL supports creating a custom cipher via the legacy EVPCIPHERmethnew function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0...

Vulnerability in OpenSSL - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption

In the BNhex2bn function the number of hex digits is calculated using an int value |i|. Later |bnexpand| is called with a value of |i 4|. For large values of |i| this can result in |bnexpand| not allocating any memory because |i 4| is negative. This can leave the internal BIGNUM data field as NUL...

Vulnerability in OpenSSL - PKCS7 NULL pointer dereferences

PKCS7 NULL pointer dereference. The PKCS7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS7 signatures, decrypt PKCS7 da...

Vulnerability in OpenSSL CVE-2013-6449

A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. This issue only affected OpenSSL 1.0.1 versions. Found by Ron Barber...

Vulnerability in OpenSSL - NULL dereference during PKCS7 data verification

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail...

Vulnerability in OpenSSL - Certificate fingerprints can be modified

OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the...

Vulnerability in OpenSSL - DTLS recursion flaw

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. Found by Imre Rad Search-Lab Ltd...

Vulnerability in OpenSSL - SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

A flaw in the dossl3write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSLMODERELEASEBUFFERS is enabled, which is not the default and not common...

Vulnerability in OpenSSL - ASN1 BIO incomplete fix

It was discovered that the fix for CVE-2012-2110 released on 19 Apr 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110. Found by Red Hat...

Vulnerability in OpenSSL CVE-2004-0112

A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos...

Vulnerability in OpenSSL CVE-2009-1387

Fix denial of service flaw due in the DTLS implementation. A remote attacker could use this flaw to cause a DTLS server to crash. Found by Robin Seggelmann...

Vulnerability in OpenSSL - Excessive time spent checking DH keys and parameters

Issue summary : Checking excessively long DH keys or parameters may be very slow. Impact summary : Applications that use the functions DHcheck, DHcheckex or EVPPKEYparamcheck to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have bee...

Vulnerability in OpenSSL - Invalid handling of X509_verify_cert() internal errors in libssl

Internally libssl in OpenSSL calls X509verifycert on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error for example out of memory. Such a negative return value is mishandled by OpenSSL and will cause an IO...

Vulnerability in OpenSSL - CMS and S/MIME Bleichenbacher attack

A weakness in the OpenSSL CMS and PKCS 7 code can be exploited using Bleichenbacher’s attack on PKCS 1 v1.5 RSA padding also known as the million message attack MMA. Only users of CMS, PKCS 7, or S/MIME decryption operations are affected, SSL/TLS applications are not affected by this issue. Found...

Vulnerability in OpenSSL CVE-2009-1386

Fix a NULL pointer dereference if a DTLS server recieved ChangeCipherSpec as first record. A remote attacker could use this flaw to cause a DTLS server to crash. Found by Alex Lam...

Vulnerability in OpenSSL CVE-2009-1379

Use-after-free vulnerability in the dtls1retrievebufferedfragment function could cause a client accessing a malicious DTLS server to crash. Found by Daniel Mentz, Robin Seggelmann...

Vulnerability in OpenSSL - Fix Use After Free for large message sizes

This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a danglin...

Vulnerability in OpenSSL - OOB write in BN_bn2dec()

The function BNbn2dec does not check the return value of BNdivword. This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because reco...

Vulnerability in OpenSSL - OpenSSL 1.0.2 ClientHello sigalgs DoS

ClientHello sigalgs DoS. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. Found by David Ramos Stanford University...

Vulnerability in OpenSSL - Anonymous ECDH denial of service

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. Found by Felix Gröbert and Ivan Fratrić Google...

Vulnerability in OpenSSL CVE-2010-0433

A missing return value check flaw was discovered in OpenSSL, that could possibly cause OpenSSL to call a Kerberos library function with invalid arguments, resulting in a NULL pointer dereference crash in the MIT Kerberos library. In certain configurations, a remote attacker could use this flaw to...

Vulnerability in OpenSSL - EVP_EncryptUpdate overflow

An overflow can occur in the EVPEncryptUpdate function. If an attacker is able to supply very large amounts of input data after a previous call to EVPEncryptUpdate with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal...

Vulnerability in OpenSSL - Exploitable out-of-bounds read in X509_cmp_time

X509cmptime does not properly check the length of the ASN1TIME string and can read a few bytes out of bounds. In addition, X509cmptime accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and...

Vulnerability in OpenSSL - Double Free when processing DTLS packets

A Double Free was found when processing DTLS packets. An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This could lead to a Denial of Service attack. Found by Adam Langley and Wan-Teh Chang Google...

Vulnerability in OpenSSL CVE-2013-6450

A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0. Found by Dmitry Sobinov...