Two vulnerabilities in OpenSSL

Published: 2016-09-26 | Updated: 2016-09-27

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2016-6309 CVE-2016-7052
CWE-ID	CWE-416 CWE-476
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	OpenSSL Server applications / Encryption software Oracle VM VirtualBox Server applications / Virtualization software
Vendor	OpenSSL Software Foundation Oracle

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Both described vulnerabilities were introduced into OpenSSL during last patch update.

1) Use after free error

EUVDB-ID: #VU661

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2016-6309

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

A remote attacker can execute arbitrary code on the target system.

The vulnerability exists due to incorrect implementation of patch for vulnerability CVE-2016-6307. A remote attacker can send a specially crafted message larger than 16 kilobytes and reallocated the buffer, intended to store the message, and then use the dangling pointer to control execution flaw.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the target system.

Mitigation

Update to version 1.1.0b.

Vulnerable software versions

OpenSSL: 1.1.0a

Oracle VM VirtualBox: 5.0.27 - 5.1.7

CPE2.3

External links

https://www.openssl.org/news/secadv/20160926.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing CRL sanity check

EUVDB-ID: #VU660

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-7052

CWE-ID: CWE-476 - NULL Pointer Dereference