Vigil@nce - OpenSSL: use after free via PSK Identify Hint
February 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force the usage of a freed memory area via PSK
Identify Hint of an OpenSSL multi-threaded client, in order to
trigger a denial of service, and possibly to run code.
Impacted products: Cisco ASR, Cisco ATA, Cisco AnyConnect Secure
Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Cisco
Nexus, NX-OS, Cisco Prime Access Registrar, Prime Collaboration
Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM,
Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco
Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora,
FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient,
FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager
Virtual Appliance, FortiOS, FreeBSD, AIX, IRAD, IVE OS, MAG Series
Juniper, Juniper SA, Juniper SBR, Data ONTAP, OpenSSL, openSUSE,
openSUSE Leap, Solaris, pfSense, Pulse Connect Secure, MAG Series
Pulse Secure, Pulse Secure SBR, Puppet, RHEL, Slackware, Synology
DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Creation date: 03/12/2015.
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library can be used by a multi-threaded client.
However, in this case, the SSL_CTX structure does not contain an
updated PSK Identify Hint. OpenSSL can thus free twice the same
memory area.
An attacker can therefore force the usage of a freed memory area
via PSK Identify Hint of an OpenSSL multi-threaded client, in
order to trigger a denial of service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-use-after-free-via-PSK-Identify-Hint-18437