OpenSSL < 1.1.0a Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9626

Synopsis

The remote web server is running an outdated instance of OpenSSL and that is affected by multiple vulnerabilities.

Description

According to its banner, the version of OpenSSL on the remote host is prior to 1.1.0a and is affected by the following vulnerabilities :

- A flaw exists in the 'ssl_parse_clienthello_tlsext()' function in 'ssl/t1_lib.c' that is triggered when handling overly large OCSP Status Request extensions from clients. This may allow a remote attacker to exhaust available memory in a process linked against the library. (CVE-2016-6304)
- A flaw exists in the 'SSL_peek()' function in 'ssl/record/rec_layer_s3.c' that is triggered during the handling of an empty record. This may allow a remote attacker to cause SSL or TLS to hang in a process linked against the library. (CVE-2016-6305)
- A flaw exists in the 'tls_get_message_header()' function in 'ssl/statem/statem_lib.c' that is triggered when handling TLS messages. With a specially crafted request, a remote attacker can cause a process linked against the library to exhaust available memory. (CVE-2016-6307)
According to the vendor, this issue will only have a security impact if one of the following conditions are met :
1) The application does not call 'SSL_free()' in a timely manner in the event that the connection fails,
2) The application is working in a constrained environment where there is very little free memory, or
3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection, 'SSL_free()' has not yet been called, and there is insufficient memory to service the multiple requests.
- A flaw exists in the 'dtls1_preprocess_fragment()' function in 'ssl/statem/statem_dtls.c' that is triggered during the handling of excessively long DTLS messages. This may allow a remote attacker to exhaust memory resources in a process linked against the library. (CVE-2016-6308)
According to the vendor, this issue will only have a security impact if one of the following conditions are met :
1) The application does not call 'SSL_free()' in a timely manner in the event that the connection fails,
2) The application is working in a constrained environment where there is very little free memory, or
3) The attacker initiates multiple connection attempts such that there are multiple connections in a state where memory has been allocated for the connection, 'SSL_free()' has not yet been called, and there is insufficient memory to service the multiple requests.

Solution

Upgrade OpenSSL to version 1.1.0a or higher

See Also

https://www.openssl.org/news/secadv/20160922.txt

Plugin Details

Severity: High

ID: 9626

Family: Web Servers

Published: 10/6/2016

Updated: 3/6/2019

Nessus ID: 93816

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openssl:openssl

Patch Publication Date: 9/22/2016

Vulnerability Publication Date: 9/22/2016

Reference Information

CVE: CVE-2016-6304, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308

BID: 93150, 93149, 93151, 93152