Vulnerability in OpenSSL - Memory leak in SRP database lookups

The SRP user database lookup method SRPVBASEgetbyuser had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret...

Vulnerability in OpenSSL - Bleichenbacher oracle in SSLv2

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a...

Vulnerability in OpenSSL - Cross-protocol attack on TLS using SSLv2 (DROWN)

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting...

Vulnerability in OpenSSL - Divide-and-conquer session key recovery in SSLv2

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. s2srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace...

Vulnerability in OpenSSL - Double-free in DSA code

A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. Found by Adam Langley Google/BoringSSL...

Vulnerability in OpenSSL - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption

In the BNhex2bn function the number of hex digits is calculated using an int value |i|. Later |bnexpand| is called with a value of |i 4|. For large values of |i| this can result in |bnexpand| not allocating any memory because |i 4| is negative. This can leave the internal BIGNUM data field as NUL...

Vulnerability in OpenSSL - Fix memory issues in BIO_*printf functions

The internal |fmtstr| function used in processing a “%s” format string in the BIOprintf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doaproutch| function can attempt to write to an OOB memory...

Vulnerability in OpenSSL - SSLv2 doesn't block disabled ciphers

A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSLOPNOSSLv2. Found by Nimrod Aviram and Sebastian Schinzel...

Vulnerability in OpenSSL - DH small subgroups

Historically OpenSSL usually only ever generated DH parameters based on “safe” primes. More recently in version 1.0.2 support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be “safe”. Where an application ...

Vulnerability in OpenSSL - Race condition handling PSK identify hint

If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSLCTX structure. This can result in a race condition potentially leading to a double free of the identify hint data. Found by Stephen Henson OpenSSL...

Vulnerability in OpenSSL - BN_mod_exp may produce incorrect results on x86_64

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible...

Vulnerability in OpenSSL - X509_ATTRIBUTE memory leak

When presented with a malformed X509ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS7 and CMS routines so any application which reads PKCS7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. Found by Adam Langley Google/BoringSSL using libFuzz...

Vulnerability in OpenSSL - Certificate verify crash with missing PSS parameter

The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any...

Vulnerability in OpenSSL - Anon DH ServerKeyExchange with 0 p parameter

If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with the value of p set to 0 then a seg fault can occur leading to a possible denial of service attack. Found by Guy Leaver Cisco...

Vulnerability in OpenSSL - Alternative chains certificate forgery

An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. Found by Adam...

Vulnerability in OpenSSL - CMS verify infinite loop with unknown hash function

When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. Found by Johannes Bauer...

Vulnerability in OpenSSL - PKCS7 crash with missing EnvelopedContent

The PKCS7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS7 data or otherwise parse PKCS7 structures from untruste...

Vulnerability in OpenSSL - Exploitable out-of-bounds read in X509_cmp_time

X509cmptime does not properly check the length of the ASN1TIME string and can read a few bytes out of bounds. In addition, X509cmptime accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and...

Vulnerability in OpenSSL - Malformed ECParameters causes infinite loop

When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes...

Vulnerability in OpenSSL - Invalid free in DTLS

This vulnerability does not affect current versions of OpenSSL. It existed in previous OpenSSL versions and was fixed in June 2014. If a DTLS peer receives application data between the ChangeCipherSpec and Finished messages, buffering of such data may cause an invalid free, resulting in a...

Vulnerability in OpenSSL - Race condition handling NewSessionTicket

If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. Found by Emilia Käsper OpenSSL...

Vulnerability in OpenSSL - Multiblock corrupted pointer

Multiblock corrupted pointer. OpenSSL 1.0.2 introduced the “multiblock” performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of “multiblock” can cause OpenSSL’s internal write buffer to become...

Vulnerability in OpenSSL - Segmentation fault in ASN1_TYPE_cmp

Segmentation fault in ASN1TYPEcmp. The function ASN1TYPEcmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1TYPEcmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and...

Vulnerability in OpenSSL - ASN.1 structure reuse memory corruption

ASN.1 structure reuse memory corruption. Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Found by Emilia Käsper OpenSSL development team...

Vulnerability in OpenSSL - PKCS7 NULL pointer dereferences

PKCS7 NULL pointer dereference. The PKCS7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS7 signatures, decrypt PKCS7 da...

Vulnerability in OpenSSL - DoS via reachable assert in SSLv2 servers

DoS via reachable assert in SSLv2 servers. A malicious client can trigger an OPENSSLassert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. Found by Sean Burford Google and Emilia Käsper OpenSSL development team...

Vulnerability in OpenSSL - Segmentation fault for invalid PSS parameters

Segmentation fault for invalid PSS parameters. The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can ...

Vulnerability in OpenSSL - Use After Free following d2i_ECPrivatekey error

Use After Free following d2iECPrivatekey error. A malformed EC private key file consumed via the d2iECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions such as d2iPrivateKey or EVPPKCS82PKEY and could lead...

Vulnerability in OpenSSL - Base64 decode

A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data. Any code path that reads base64 data from an untrusted source could be affected such as the PEM processing routines. Maliciously crafted base 64 data could trigger a segmenation fault or memo...

Vulnerability in OpenSSL - Empty CKE with client auth and DHE

Empty CKE with client auth and DHE. If client auth is used then a server can seg fault in the event of a DHE ciphersuite being selected and a zero length ClientKeyExchange message being sent by the client. This could be exploited in a DoS attack. Found by Matt Caswell OpenSSL development team...

Vulnerability in OpenSSL - OpenSSL 1.0.2 ClientHello sigalgs DoS

ClientHello sigalgs DoS. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. Found by David Ramos Stanford University...

Vulnerability in OpenSSL - Segmentation fault in DTLSv1_listen

Segmentation fault in DTLSv1listen. A defect in the implementation of DTLSv1listen means that state is preserved in the SSL object from one invocation to the next that can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this scenario. An example of such an erro...

Vulnerability in OpenSSL - Handshake with unseeded PRNG

Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with an unseeded PRNG. If the handshake succeeds then the client random that has been used will have been generated from a PRNG with insufficient entropy and therefore the output may be predictable. Found by Matt Caswell...

Vulnerability in OpenSSL - X509_to_X509_REQ NULL pointer deref

X509toX509REQ NULL pointer deref. The function X509toX509REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice. Found by Brian Carpenter...

Vulnerability in OpenSSL - DTLS memory leak in dtls1_buffer_record

A memory leak can occur in the dtls1bufferrecord function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack throug...

Vulnerability in OpenSSL - Bignum squaring may produce incorrect results

Bignum squaring BNsqr may produce incorrect results on some platforms, including x8664. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. The following has been determined: The probability of...

Vulnerability in OpenSSL - DH client certificates accepted without verification [Server]

An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates...

Vulnerability in OpenSSL - RSA silently downgrades to EXPORT_RSA [Client]

An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session. Found by Karthikeyan Bhargavan of the PROSECCO team at INRIA...

Vulnerability in OpenSSL - Certificate fingerprints can be modified

OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the...

Vulnerability in OpenSSL - DTLS segmentation fault in dtls1_get_record

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. Found by Markus Stenberg of Cisco Systems, Inc...

Vulnerability in OpenSSL - ECDHE silently downgrades to ECDH [Client]

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite. Found by Karthikeyan Bhargavan of the PROSECCO team at INRIA...

Vulnerability in OpenSSL - no-ssl3 configuration sets method to NULL

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. Found by Frank Schmirler...

Vulnerability in OpenSSL - Build option no-ssl3 is incomplete

When OpenSSL is configured with “no-ssl3” as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. Found by Akamai Technologies...

Vulnerability in OpenSSL - Session Ticket Memory Leak

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could...

Vulnerability in OpenSSL - SRTP Memory Leak

A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server...

Vulnerability in OpenSSL - OpenSSL DTLS anonymous EC(DH) denial of service

A flaw in handling DTLS anonymous ECDH ciphersuites was found. OpenSSL DTLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference read by specifying an anonymous ECDH ciphersuite and sending...

Vulnerability in OpenSSL - SRP buffer overrun

A SRP buffer overrun was found. A malicious client or server can send invalid SRP parameters and overrun an internal buffer. Only applications which are explicitly set up for SRP use are affected. Found by Sean Devlin and Watson Ladd Cryptography Services, NCC Group...

Vulnerability in OpenSSL - OpenSSL TLS protocol downgrade attack

A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher...

Vulnerability in OpenSSL - Information leak in pretty printing functions

A flaw in OBJobj2txt may cause pretty printing functions such as X509nameoneline, X509nameprintex, to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected. Found by...

Vulnerability in OpenSSL - DTLS memory leak from zero-length fragments

A DTLS memory leak from zero-length fragments was found. By sending carefully crafted DTLS packets an attacker could cause OpenSSL to leak memory. This could lead to a Denial of Service attack. Found by Adam Langley Google...