OpenSSL SSL_get_shared_ciphers Function Buffer Overflow Vulnerability
-------------------------------------------------------------------------------------
Alert Type :VULNERABILITY ALERT
Threat Type :Unintended Weakness:Buffer Overflow
IntelliShield ID :11788
Version :23
Urgency :2 - Unlikely Use
Credibility :5 - Confirmed
Severity :4 - Moderate Damage
CVSS Base Score :10.0
CVSS Temporal Score :7.4
CVSS Vector :AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N/E:U/RL:O/RC:C
First Published :Sep 28, 2006; 03:56 PM EDT
Last Published :Jan 18, 2007; 09:54 AM EST
Ports :Not Available
CVE :CVE-2006-3738
Version Summary
-------------------------------------------------------------------------------------
Oracle has released the January 2007 Critical Patch Update and updates to address the buffer overflow vulnerability in the SSL_get_shared_ciphers function of OpenSSL.
Description
-------------------------------------------------------------------------------------
OpenSSL versions 0.9.7k and prior and 0.9.8c and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to insufficient boundary checking on user-supplied input. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted request to an application or system service depending on the OpenSSL library. An exploit could trigger a buffer overflow condition, allowing the attacker to crash the affected service or execute arbitrary code with privileges of the target application or service.
OpenSSL confirmed this vulnerability in a security advisory and released updated versions.
Impact
-------------------------------------------------------------------------------------
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with privileges of the affected service or application. An exploit could allow the attacker to gain complete control of the affected system.
Warning Indicators
-------------------------------------------------------------------------------------
OpenSSL versions 0.9.7k and prior and 0.9.8c and prior are vulnerable.
Technical Information
-------------------------------------------------------------------------------------
This vulnerability exists because the SSL_get_shared_ciphers() function fails to properly limit input before use in memory operations. An attacker could exploit this vulnerability by sending a malicious set of large, crafted ciphers to an exposed application depending on the OpenSSL library and then using the affected function. An exploit could trigger a buffer overflow condition, allowing an attacker to crash the affected application or execute arbitrary code with privileges of the affected application or service.
IntelliShield Analysis
-------------------------------------------------------------------------------------
Systems that allow unfiltered user input to system applications and services depending on the vulnerable OpenSSL library are at a greater risk. An attacker can exploit this vulnerability by sending a crafted request to an exposed service linked to the OpenSSL library. Statically linked applications and services may require recompilation, while dynamically linked applications and services will simply require a service or system restart. Vulnerable services may include mail, web, and database services using OpenSSL to encrypt network communications.
Safeguards
-------------------------------------------------------------------------------------
Administrators are advised to apply the appropriate software updates.
Administrators are advised to restrict access to trusted users.
Administrators may consider employing network filtering devices to block malformed requests to effected systems.
-------------------------------------------------------------------------------------
Alert Type :VULNERABILITY ALERT
Threat Type :Unintended Weakness:Buffer Overflow
IntelliShield ID :11788
Version :23
Urgency :2 - Unlikely Use
Credibility :5 - Confirmed
Severity :4 - Moderate Damage
CVSS Base Score :10.0
CVSS Temporal Score :7.4
CVSS Vector :AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N/E:U/RL:O/RC:C
First Published :Sep 28, 2006; 03:56 PM EDT
Last Published :Jan 18, 2007; 09:54 AM EST
Ports :Not Available
CVE :CVE-2006-3738
Version Summary
-------------------------------------------------------------------------------------
Oracle has released the January 2007 Critical Patch Update and updates to address the buffer overflow vulnerability in the SSL_get_shared_ciphers function of OpenSSL.
Description
-------------------------------------------------------------------------------------
OpenSSL versions 0.9.7k and prior and 0.9.8c and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to insufficient boundary checking on user-supplied input. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted request to an application or system service depending on the OpenSSL library. An exploit could trigger a buffer overflow condition, allowing the attacker to crash the affected service or execute arbitrary code with privileges of the target application or service.
OpenSSL confirmed this vulnerability in a security advisory and released updated versions.
Impact
-------------------------------------------------------------------------------------
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with privileges of the affected service or application. An exploit could allow the attacker to gain complete control of the affected system.
Warning Indicators
-------------------------------------------------------------------------------------
OpenSSL versions 0.9.7k and prior and 0.9.8c and prior are vulnerable.
Technical Information
-------------------------------------------------------------------------------------
This vulnerability exists because the SSL_get_shared_ciphers() function fails to properly limit input before use in memory operations. An attacker could exploit this vulnerability by sending a malicious set of large, crafted ciphers to an exposed application depending on the OpenSSL library and then using the affected function. An exploit could trigger a buffer overflow condition, allowing an attacker to crash the affected application or execute arbitrary code with privileges of the affected application or service.
IntelliShield Analysis
-------------------------------------------------------------------------------------
Systems that allow unfiltered user input to system applications and services depending on the vulnerable OpenSSL library are at a greater risk. An attacker can exploit this vulnerability by sending a crafted request to an exposed service linked to the OpenSSL library. Statically linked applications and services may require recompilation, while dynamically linked applications and services will simply require a service or system restart. Vulnerable services may include mail, web, and database services using OpenSSL to encrypt network communications.
Safeguards
-------------------------------------------------------------------------------------
Administrators are advised to apply the appropriate software updates.
Administrators are advised to restrict access to trusted users.
Administrators may consider employing network filtering devices to block malformed requests to effected systems.