OpenSSL Releases New Fix for CVE-2012-2110 ASN1 Bug


The OpenSSL developers have had to re-release the fix for a serious vulnerability in the software’s ASN.1 implementation that could allow an attacker to cause a denial of service or potentially run arbitrary code on a remote machine. The updated fix only applies to version 0.9.8v; all of the other previously affected versions are already protected with the existing patch. OpenSSL released the original [advisory and fix for the CVE-2012-2110](<http://www.openssl.org/news/secadv_20120419.txt>) vulnerability last week, fixing the bug in versions 0.9.8, 1.0.1a and 1.0.0i. But after releasing the fixes, Red Hat discovered that the fix for version 0.9.8 didn’t completely address the vulnerability, hence the new patch. “The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key,” according to the description of the bug in the [National Vulnerability Database](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110>). OpenSSL developers are encouraging users to upgrade to the patched versions as soon as they can.