PT-2016-3416 · Openssl+12 · Openssl+16

Shi Lei

·

Publicado

2016-07-31

·

Atualizado

2024-06-15

·

CVE-2016-2180

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2h and earlier
Description The issue is related to a denial of service caused by an out-of-bounds read and application crash. This can be triggered by a remote attacker via a crafted time-stamp file that is mishandled by the "openssl ts" command. The problem is associated with the TS OBJ print bio function in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. Additionally, there is a mention of a missing CRL sanity check that could also lead to a denial of service.
Recommendations For OpenSSL versions 1.0.2h and earlier, update to a version that includes the necessary patches to address the denial of service issue. As a temporary workaround, consider restricting the use of the "openssl ts" command until a patch is available. Avoid using crafted time-stamp files that could exploit the TS OBJ print bio function.

Correção

DoS

Out of bounds Read

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-125

Identificadores relacionados

ALT-PU-2016-2005
BDU:2022-02556
CESA-2016_1940
CVE-2016-2180
DLA-637-1
DSA-3673-1
MGASA-2016-0338
MGASA-2016-0408
OPENSUSE-SU-2016_2391-1
OPENSUSE-SU-2016_2407-1
OPENSUSE-SU-2018_0458-1
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:11127-1
RHSA-2016:1940
RHSA-2016_1940
SUSE-FU-2022:0445-1
SUSE-SU-2016:2387-1
SUSE-SU-2016:2394-1
SUSE-SU-2016:2469-1
SUSE-SU-2017:2699-1
SUSE-SU-2017:2700-1
USN-3087-1
USN-3087-2

Produtos afetados

Alt Linux
Centos
Cisco Asa
Cisco Ios Xe
Cisco Ios Xr
Cisco Nexus
Cisco Wls
Fortios
Freebsd
Huawei Vrp
Ibm Aix
Junos
Nessus
Openssl
Red Hat
Suse
Ubuntu