SB2023030204 - Multiple vulnerabilities in Edgecross Basic Software for Windows

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2022-0778)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the BN_mod_sqrt() function when processing an ASN.1 certificate that contains elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. A remote attacker can supply a specially crafted certificate to the TLS server or client, consume all available system resources and cause denial of service conditions.

2) Infinite loop (CVE-ID: CVE-2022-29862)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can consume all available system resources and cause denial of service conditions.

3) Resource exhaustion (CVE-ID: CVE-2022-29864)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the handling of message chunks. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://jvn.jp/en/vu/JVNVU96890975/index.html"
• https://jvn.jp/en/vu/JVNVU96890975/index.html</a></p><p>
• https://www.edgecross.org/en/data-download/pdf/ECD-TE10-0005-01-EN.pdf</p><p><br></p>