(NetBSD Issues Fix) OpenSSL asn1_d2i_read_bio() Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1027135 |
|
SecurityTracker URL: http://securitytracker.com/id/1027135
|
|
CVE Reference:
CVE-2012-2110
(Links to External Site)
|
Date: Jun 8 2012
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 0.9.8w and 1.0.0i
|
Description:
A vulnerability was reported in OpenSSL. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted data to the target application using OpenSSL to potentially trigger a heap overflow in the asn1_d2i_read_bio() function and execute arbitrary code on the target system. The code will run with the privileges of the target application.
Applications that use ASN.1 BIO or FILE based functions to read untrusted DER format data are affected. The d2i_*_bio and d2i_*_fp type of functions are affected.
Applications that use the memory based ASN1 functions (e.g., d2i_X509, d2i_PKCS12 etc) are not affected.
The SSL/TLS code is not affected.
Applications using only the PEM routines are not affected.
S/MIME and CMS applications that use the built-in MIME parser SMIME_read_PKCS7 and SMIME_read_CMS functions are affected.
Tavis Ormandy, Google Security Team, reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
NetBSD has issued a fix for CVE-2012-2110.
The NetBSD advisory is available at:
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-001.txt.asc
|
Vendor URL: www.openssl.org/news/secadv_20120424.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (NetBSD)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 08 Jun 2012 06:19:01 +0000
Subject: NetBSD
|
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2012-001.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2012-001
=================================
Topic: OpenSSL buffer overflow in DER read function
Version: NetBSD-current: source prior to Apr 20th, 2012
NetBSD 6.0 Beta: affected
NetBSD 5.0.*: affected
NetBSD 5.0: affected
NetBSD 5.1: affected
NetBSD 4.0.*: affected
NetBSD 4.0: affected
Severity: remote DoS, information disclosure
Fixed: NetBSD-current: Apr 19th, 2012
NetBSD 6.0 Beta: Apr 23rd, 2012
NetBSD-5-0 branch: Apr 21st, 2012
NetBSD-5-1 branch: Apr 21st, 2012
NetBSD-5 branch: Apr 21st, 2012
NetBSD-4-0 branch: May 11th, 2012
NetBSD-4 branch: May 11th, 2012
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
Incorrect integer conversions in OpenSSL DER buffer handling
can result in memory corruption.
This vulnerability has been assigned CVE-2012-2110.
Technical Details
=================
The openssl commit message to fix this issue is:
check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean. (CVE-2012-2110)
Further information can be found at:
http://www.openssl.org/news/secadv_20120419.txt
http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html
Solutions and Workarounds
=========================
Patch, recompile, and reinstall the library.
File src/crypto/external/bsd/openssl/dist/crypto/mem.c
CVS branch Rev.
HEAD 1.2
netbsd-6 1.1.1.2.4.1
File src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c
CVS branch Rev.
HEAD 1.2
netbsd-6 1.1.1.1.8.1
File src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c
CVS branch Rev.
HEAD 1.2
netbsd-6 1.1.1.2.4.1
File src/crypto/dist/openssl/crypto/mem.c
CVS branch Rev.
netbsd-5 1.1.1.8.4.1
netbsd-5-0 1.1.1.8.8.1
netbsd-5-1 1.1.1.8.12.1
netbsd-4 1.1.1.7.4.1
netbsd-4-0 1.1.1.7.14.1
File src/crypto/dist/openssl/crypto/asn1/a_d2i_fp.c
CVS branch Rev.
netbsd-5 1.1.1.3.26.1
netbsd-5-0 1.1.1.3.30.1
netbsd-5-1 1.1.1.3.34.1
netbsd-4 1.1.1.3.4.1
netbsd-4-0 1.1.1.3.14.1
File src/crypto/dist/openssl/crypto/buffer/buffer.c
netbsd-5 1.1.1.5.4.1
netbsd-5-0 1.1.1.5.8.1
netbsd-5-1 1.1.1.5.12.1
netbsd-4 1.1.1.4.4.1
netbsd-4-0 1.1.1.4.14.1
Thanks To
=========
Thanks to Tavis Ormandy, Google Security Team, for discovering this issue
and to Adam Langley <agl@chromium.org> for fixing it.
Revision History
================
2012-06-06 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2012-001.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2012, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2012-001.txt,v 1.2 2012/06/06 19:46:15 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJPz7PrAAoJEAZJc6xMSnBuN4IP/3fAvQ4g3frJ1575eLaDcgKJ
SIUWAbHtRhGMKFxFoX0lc5+zpcSzH76Em+Uuu48dhU7ohTCcJphod1oBtFj/PV0s
I3Z8wuz6Rp6rnbp3hNVA7OLWnvq0M1Qs3qTUpL++8Ft//vc+xXsOy52SUMJ6fHwD
R8FpdI2RTrNiY9oDKPZV1nd17SXWI/V8vLxztI10E41mRF4RiYNuGAPPUQs5fJwC
jlMPKyfFpIST3k0kthKDWSYZGOrtN5eOMvdEkENZGdcwoRWdhZYMy3hMzdc8iIWB
FbC6l69JHtYxABz/9JjdhVkYkgPz6zBp4xx3mZ7FQCA/1XX0GI1kqMN1muaDNQIW
i9vhdEnMRGMega6RrSGgfH80EaBF/F/mzD5A/7A9kNpQGw/34Bt2KG/1JAywvj/i
EIPi1DucV0uaOhSLhN4RXc+uC0DwzjhuOTa8rxLmEwFUKnd93bQCUw+8U5o2CNgE
F9nK0l6dh9RvNAleg4p8aveJk6Cm2hJJKfNjsPCSc9vM3Rs2wwtJQ9bIIn6v9ndQ
oDSHsZU+msrft0IA1P46MXRhiF8ez8JP5vhaQ/AM0CrjfvkcwOCE4yTc/22soiD8
RAB9CENHy3cfMmkReu2IXWnsovAKD3D61RXOrrnGAMZVgukLmX5fOPVQKGZNknBK
7UPOHuHe5Jo2UetAVTc3
=Yz6U
-----END PGP SIGNATURE-----
|
|
