Vigil@nce: OpenSSL, memory leak of CRYPTO_cleanup_all_ex_data
January 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can generate a memory leak in some applications using
the OpenSSL CRYPTO_cleanup_all_ex_data() function.
Severity: 2/4
Consequences: denial of service of service, denial of service of
client
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/01/2010
IMPACTED PRODUCTS
– Debian Linux
– OpenSSL
– Red Hat Enterprise Linux
– TurboLinux
DESCRIPTION OF THE VULNERABILITY
The CRYPTO_cleanup_all_ex_data() function of OpenSSL frees used
data. However in OpenSSL versions superior to 0.9.8f, this
function does not free the COMP_CTX structure related to zlib
compression, which creates a memory leak.
Applications using the OpenSSL CRYPTO_cleanup_all_ex_data()
function are thus impacted by a denial of service.
In 2008, the Apache httpd mod_ssl module used this function, and
was thus impacted by a denial of service (VIGILANCE-VUL-7969).
This vulnerability was corrected by modifying mod_ssl, instead of
correcting the root of the problem (OpenSSL).
The PHP module with Curl also uses this function, and is thus
impacted by a denial of service. In 2010, developers decided to
not correct PHP/Curl, but to correct the root of the problem
(OpenSSL).
CHARACTERISTICS
Identifiers: CVE-2009-4355, DSA-1970-1, RHSA-2010:0054-01,
TLSA-2010-4, VIGILANCE-VUL-9348
Pointed by: VIGILANCE-VUL-7969
http://vigilance.fr/vulnerability/OpenSSL-memory-leak-of-CRYPTO-cleanup-all-ex-data-9348