CERT-MU :Advisories

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU AD-2009-4

OpenSSL Multiple Vulnerabilities

Original issue date: 27 March, 2009

Overview

Multiple vulnerabilities have been reported in OpenSSL 0.9.8j and earlier, which could allow remote attackers to bypass certain security restrictions or cause denial of service conditions.

Description

OpenSSL ASN 1_STRING_print_ex() Invalid Memory Access Vulnerability

This vulnerability is caused due to an error exists in the " ASN 1_STRING_print_ex()" function when printing "BMPString" or "UniversalString" strings in openSSL. A remote attacker could exploit this vulnerability via an illegal encoded string length (e.g. printing the contents of a certificate) to trigger an invalid memory access error. Successful exploitation of this vulnerability could allow a remote attacker to cause denial of service condition.
OpenSSL CMS _verify() Error Handling vulnerability

This vulnerability is caused due to incorrect handling of an error condition when processing malformed signed attributes in " CMS _verify()" function in openSSL. A remote attacker could exploit this vulnerability using malformed set of signed attributes to trick an application into considering as a valid signed attributes. Successful exploitation of this vulnerability could allow a remote attacker to bypass certain security restrictions.

Successful exploitation requires access to a previously generated invalid signature.

Note: This issue only affects OpenSSL versions 0.9.8h and later with CMS enabled.
OpenSSL ASN 1 Structure Memory Access Vulnerability

This vulnerability is caused due to an error when processing malformed ASN 1 structures in openSSL. A remote attacker could exploit this vulnerability via a specially crafted certificate to trigger an invalid memory access error. Successful exploitation of this vulnerability could allow a remote attacker to cause denial of service condition.

Note: This issue exist only on platforms where the size of "long" is smaller than the size of "void*" (e.g. WIN 64).