Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker, who own a malicious TLS server, can send the
NewSessionTicket message, to force the usage of a freed memory
area in a client linked to OpenSSL, in order to trigger a denial
of service, and possibly to execute code.

Impacted products: Cisco ASR, Cisco ATA, AnyConnect VPN Client,
Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco
ESA, IOS Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort
Encryption, Cisco Nexus, NX-OS, Cisco Prime, Cisco Router, Secure
ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified
CCX, Cisco IP Phone, Cisco Unified Meeting Place, Cisco Wireless
IP Phone, Cisco Unity, Cisco WSA, Debian, BIG-IP Hardware, TMOS,
Fedora, FileZilla Server, FreeBSD, AIX, IRAD, Junos Pulse, McAfee
Email and Web Security, McAfee Email Gateway, McAfee Web Gateway,
OpenSSL, openSUSE, Solaris, pfSense, Puppet, RHEL, Slackware, SUSE
Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***,
Ubuntu

Severity: 2/4

Creation date: 04/06/2015

DESCRIPTION OF THE VULNERABILITY

The TLS protocol uses the NewSessionTicket message to obtain a new
session ticket (RFC 5077).

The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c
file implements NewSessionTicket in an OpenSSL client. However, if
the client is multi-threaded, this function frees a memory area
before reusing it.

An attacker, who own a malicious TLS server, can therefore send
the NewSessionTicket message, to force the usage of a freed memory
area in a client linked to OpenSSL, in order to trigger a denial
of service, and possibly to execute code.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/OpenSSL-use-after-free-via-NewSessionTicket-17062