|| Hotline : 800 2378 ||  To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu ||  To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||
    Constituency
    Authority
   Vol.3, Issue 1
   Vol.2, Issue 3
   Vol.2, Issue 2
   Vol.2, Issue 1
   Vol.1, Issue 1
    World CERTs
    Email Abuse
 
Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University
 
 
 
 
 
 
 
 
 
 


   
 

CERT-MU Vulnerability Note VN-2012-117

OpenSSL Transport Layer Security Packet Parsing Integer Underflow Denial of Service Vulnerability

Original Issue Date: May 02, 2012

Severity Rating: Medium

Systems Affected:

  • OpenSSL 0.x
  • OpenSSL 1.x

Description

A vulnerability has been identified in OpenSSL and this can be exploited by remote attackers to cause a Denial of Service condition of the application using the library. The vulnerability exists because OpenSSL did not properly handle TLS record length values from the received TLS packets. After subtracting the number of padding bytes from the record length value, it did not check the resulting record length before subtracting the size of explicit IV (initialization vector for CBC encryption modes). This could lead to an integer underflow of the record length value, leading to a buffer over-read and out-of-bounds access.  This vulnerability can be exploited by remote attackers to crash an application using OpenSSL by sending a specially TLS packet.

Solution

Users are advised to apply to version 1.0.1c, 1.0.0j, or 0.9.8x.

More information is available on:

https://bugzilla.redhat.com/show_bug.cgi?id=820686

Vendor Information

OpenSSL

www.openssl.com

CVE Information

CVE-2012-2333

References

Secunia
http://secunia.com/advisories/49116/

Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=820686

OpenSSL Advisory
http://www.openssl.org/news/secadv_20120510.txt

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact  Information

Email:

Hotline:

800 2378

Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis

 
 
News & Events
Computer Security Day 2012
Awareness sessions in State Secondary Schools
Workshop on Mobile Hacking
Safer Internet Day 2012
Computer Security Day 2011
Workshop on Cloud Security
 
  more...
 
Virus Alerts
RSS Feed
 
 
 

Last Updated 20-Jul-2012
Disclaimer Maintained & Hosted by NCB
This site is best viewed in 1024 x 768 resolution. Internet Explorer 6.0 +