#VU77556 Race condition in OpenSSL - CVE-2015-3196


Vulnerability identifier: #VU77556

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-3196

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in the ssl/s3_clnt.c in OpenSSL when used for a multi-threaded client. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system via a crafted ServerKeyExchange message.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.0s - 1.0.0p, 1.0.1h - 1.0.1, 1.0.2c - 1.0.2

External links
https://openssl.org/news/secadv/20151203.txt
https://git.openssl.org/?p=openssl.git;a=commit;h=3c66a669dfc7b3792f7af0758ea26fe8502ce70c
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100
https://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
https://marc.info/?l=bugtraq&m=145382583417444&w=2
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944173
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
https://www.securityfocus.com/bid/78622
https://fortiguard.com/advisory/openssl-advisory-december-2015
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl
https://rhn.redhat.com/errata/RHSA-2015-2617.html
https://www.fortiguard.com/advisory/openssl-advisory-december-2015
https://www.ubuntu.com/usn/USN-2830-1
https://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.754583
https://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.html
https://www.debian.org/security/2015/dsa-3413
https://lists.opensuse.org/opensuse-updates/2015-12/msg00070.html
https://lists.opensuse.org/opensuse-updates/2015-12/msg00071.html
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322
https://www.securitytracker.com/id/1034294
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://rhn.redhat.com/errata/RHSA-2016-2957.html
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM b-type SAN switches and directors
Multiple vulnerabilities in N series Products
Multiple vulnerabilities in IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems
Multiple vulnerabilities in IBM BladeCenter Advanced Management Module (AMM)