#VU818 Denial of service in OpenSSL and Oracle VM VirtualBox - CVE-2016-6308

Cybersecurity Help s.r.o.

Published: 2016-10-10 | Updated: 2017-01-05

Vulnerability identifier: #VU818

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-6308

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software
Oracle VM VirtualBox
Server applications / Virtualization software

Vendor: OpenSSL Software Foundation
Oracle

Description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to insufficient validation of input length. By sending messages with excessive length attackers can cause resource exhaustion that leads to denial of service.
Successful exploitation of the vulnerability will allow a malicious user to trigger the vulnerable service to deny.

Mitigation
Update 1.1.0 to version 1.1.0a.

Vulnerable software versions

OpenSSL: 1.1.0

Oracle VM VirtualBox: 5.0.27, 5.1.7

External links
https://www.openssl.org/news/secadv/20160922.txt
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM FOS Firmware

Multiple vulnerabilities in Multiple N series Products

Denial of service in OpenSSL