Vigil@nce - OpenSSL: denial of service via DTLS Reassembly
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send DTLS packets in the wrong order with missing
packets to an application compiled with OpenSSL, in order to
trigger a denial of service.
– Impacted products: Blue Coat CAS, ProxyAV, ProxySG, SGOS, Cisco
ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility
Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content
SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, Cisco IPS, Nexus by
Cisco, NX-OS, Cisco Prime Access Registrar, Prime Infrastructure,
Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP
Phone, Cisco MeetingPlace, Cisco Wireless Controller, Debian,
Fedora, FileZilla Server, FreeBSD, FreeRADIUS, Juniper J-Series,
JUNOS, Junos Space, NSM Central Manager, NSMXpress, NetScreen
Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Solaris,
pfSense, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop,
SLES, Synology DS***, Synology RS***, Ubuntu, Wind River Linux.
– Severity: 2/4.
– Creation date: 24/08/2016.
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library implements DTLS (Datagram Transport Layer
Security, for example on UDP).
DTLS packets can be in the wrong order. OpenSSL has to keep them
in memory, in order to reassemble them. However, in two cases,
message queues are not cleared.
An attacker can therefore send DTLS packets in the wrong order
with missing packets to an application compiled with OpenSSL, in
order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/OpenSSL-denial-of-service-via-DTLS-Reassembly-20457