Vigil@nce - OpenSSL: memory corruption via BN_bn2dec
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory corruption via BN_bn2dec() of
OpenSSL, in order to trigger a denial of service, and possibly to
run code.
– Impacted products: Blue Coat CAS, ProxyAV, ProxySG, SGOS, Cisco
ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility
Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content
SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, Cisco IPS, Nexus by
Cisco, NX-OS, Cisco Prime Access Registrar, Prime Infrastructure,
Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP
Phone, Cisco MeetingPlace, Cisco Wireless Controller, Debian,
Fedora, FileZilla Server, FreeBSD, FreeRADIUS, Juniper J-Series,
JUNOS, Junos Space, NSM Central Manager, NSMXpress, ePO, NetScreen
Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Solaris,
pfSense, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop,
SLES, Synology DS***, Synology RS***, Ubuntu, Wind River Linux.
– Severity: 2/4.
– Creation date: 24/08/2016.
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library works on large numbers to perform operations
such are RSA.
The BN_bn2dec() function converts a large number to its decimal
representation. However, a special number forces BN_div_word() to
return a limit value, then data are written after the end of the
memory area.
An attacker can therefore generate a memory corruption via
BN_bn2dec() of OpenSSL, in order to trigger a denial of service,
and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/OpenSSL-memory-corruption-via-BN-bn2dec-20460