SGI: Security

OpenSSL SSL_get_shared_ciphers Function Buffer Overflow Vuln

OpenSSL SSL_get_shared_ciphers Function Buffer Overflow Vulnerability

-------------------------------------------------------------------------------------

Alert Type :VULNERABILITY ALERT

Threat Type :Unintended Weakness:Buffer Overflow

IntelliShield ID :11788
Version :23

Urgency :2 - Unlikely Use

Credibility :5 - Confirmed

Severity :4 - Moderate Damage

CVSS Base Score :10.0

CVSS Temporal Score :7.4

CVSS Vector :AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N/E:U/RL:O/RC:C

First Published :Sep 28, 2006; 03:56 PM EDT
Last Published :Jan 18, 2007; 09:54 AM EST

Ports :Not Available
CVE :CVE-2006-3738

Version Summary
-------------------------------------------------------------------------------------
Oracle has released the January 2007 Critical Patch Update and updates to address the buffer overflow vulnerability in the SSL_get_shared_ciphers function of OpenSSL.

Description
-------------------------------------------------------------------------------------
OpenSSL versions 0.9.7k and prior and 0.9.8c and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.

This vulnerability exists due to insufficient boundary checking on user-supplied input. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted request to an application or system service depending on the OpenSSL library. An exploit could trigger a buffer overflow condition, allowing the attacker to crash the affected service or execute arbitrary code with privileges of the target application or service.

OpenSSL confirmed this vulnerability in a security advisory and released updated versions.

Impact
-------------------------------------------------------------------------------------
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with privileges of the affected service or application. An exploit could allow the attacker to gain complete control of the affected system.

Warning Indicators
-------------------------------------------------------------------------------------
OpenSSL versions 0.9.7k and prior and 0.9.8c and prior are vulnerable.

Technical Information
-------------------------------------------------------------------------------------
This vulnerability exists because the SSL_get_shared_ciphers() function fails to properly limit input before use in memory operations. An attacker could exploit this vulnerability by sending a malicious set of large, crafted ciphers to an exposed application depending on the OpenSSL library and then using the affected function. An exploit could trigger a buffer overflow condition, allowing an attacker to crash the affected application or execute arbitrary code with privileges of the affected application or service.

IntelliShield Analysis
-------------------------------------------------------------------------------------
Systems that allow unfiltered user input to system applications and services depending on the vulnerable OpenSSL library are at a greater risk. An attacker can exploit this vulnerability by sending a crafted request to an exposed service linked to the OpenSSL library. Statically linked applications and services may require recompilation, while dynamically linked applications and services will simply require a service or system restart. Vulnerable services may include mail, web, and database services using OpenSSL to encrypt network communications.

Safeguards
-------------------------------------------------------------------------------------
Administrators are advised to apply the appropriate software updates.

Administrators are advised to restrict access to trusted users.

Administrators may consider employing network filtering devices to block malformed requests to effected systems.
Ah, thought this was something new - been fixed since last September (and in Nekoware since October) ;)
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.
Oh right. Sorry, my mistake as well.
Not a problem. Looks like this was sent out as an update because Oracle finally patched their bundled library: "Oracle has released the January 2007 Critical Patch Update and updates to address the buffer overflow vulnerability in the SSL_get_shared_ciphers function of OpenSSL." Other than that, old news :)
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.