HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2006-36
Multiple vulnerabilities in OpenSSL

Original issue date: September 29, 2006

Severity Rating: Medium

System Affected

OpenSSL 0.9.x

Overview

Multiple vulnerabilities have been reported in “OpenSSL” which could be exploited by remote attackers to execute arbitrary code cause denial of service attack.

Description

1. OpenSSL invalid ASN.1 handling vulnerability (CVE-2006-2937)

A vulnerability has been reported in OpenSSL due to an infinite loop while handling invalid ASN.1. This could be exploited by attacker to cause denial of service attacks.

2. OpenSSL public keys handling vulnerability (CVE-2006-2940)

A vulnerability has been reported in OpenSSL while processing of certain public keys that requires more time to process. This could be exploited by remote attackers to cause denial of service attack.

3. Buffer overflow vulnerability in "SSL_get_shared_ciphers()" function (CVE-2006-3738)

A buffer overflow vulnerability has been reported in the "SSL_get_shared_ciphers()" function while handling specially crafted list of ciphers. This could be exploited by remote attackers to potentially compromise a vulnerable system.

4. SSLv2 client code vulnerability (CVE-2006-4343)

An unspecified vulnerability has been reported in the SSLv2 client code which could be exploited by remote attacker cause Denial of Service attack or crash the client .

Solution

Upgrade to OpenSSL
http://www.openssl.org/source/

Vendor Information

OpenSSL
http://www.openssl.org/news/secadv_20060928.txt

References

RedHat
https://rhn.redhat.com/errata/RHSA-2006-0695.html

FrSIRT- ADV-2006-3820
http://www.frsirt.com/english/advisories/2006/3820

Secunia
http://secunia.com/advisories/22130/

CVE Name

CVE-2006-2937
CVE-2006-2940
CVE-2006-3738
CVE-2006-4343

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003