SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sun Grid Engine Vendors:   Sun
(Sun Grid Engine is Affected) OpenSSL ASN.1 Bugs, SSL_get_shared_ciphers() Buffer Overflow, and SSLv2 Client Error Lets Remote Users Denial of Service or Execute Arbitrary Code
SecurityTracker Alert ID:  1017066
SecurityTracker URL:  http://securitytracker.com/id/1017066
CVE Reference:   CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343   (Links to External Site)
Date:  Oct 16 2006
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 5.3, 6.0
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can cause denial of service conditions. A remote user can execute arbitrary code on the target system. Sun Grid Engine is affected.

A remote user can send specially crafted, invalid ASN.1 structures to trigger an infinite loop [CVE-2006-2937]. As a result, the process will consume excessive system memory. Versions prior to 0.9.7 are not affected.

A remote user can use certain types of public keys to cause the target system to take a disproportionate amount of time to process [CVE-2006-2940].

Dr. S. N. Henson developed the ASN.1 test suite for NISCC that uncovered these denial of service vulnerabilities.

A user can send a specially crafted list of ciphers to an application that uses the SSL_get_shared_ciphers() function to trigger a buffer overflow and potentially execute arbitrary code [CVE-2006-3738]. The vendor credits Tavis Ormandy and Will Drewry of the Google Security Team with reporting this vulnerability.

A remote server can cause a connected SSLv2 client to crash [CVE-2006-4343]. The vendor credits Tavis Ormandy and Will Drewry of the Google Security Team with reporting this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

Solution:   Sun has indicated that Sun Grid Engine is affected by this OpenSSL vulnerability.

No solution was available for Sun Grid Engine at the time of this entry.

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1

Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1 (Links to External Site)
Cause:   Boundary error, Exception handling error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (macOS/OS X), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 29 2006 OpenSSL ASN.1 Bugs, SSL_get_shared_ciphers() Buffer Overflow, and SSLv2 Client Error Lets Remote Users Denial of Service or Execute Arbitrary Code



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC