SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Cisco IP Phones Vendors:   Cisco
(Cisco Issues Advisory for Cisco IP Phones) OpenSSL Multiple Bugs Let Remote Users Cause the Target Service to Crash
SecurityTracker Alert ID:  1036923
SecurityTracker URL:  http://securitytracker.com/id/1036923
CVE Reference:   CVE-2016-6302, CVE-2016-6303, CVE-2016-6306   (Links to External Site)
Date:  Sep 29 2016
Impact:   Denial of service via network
Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in OpenSSL. A remote user can cause the target service or application to crash. Cisco IP Phones is affected.

A remote user can send a specially crafted SHA512 TLS session ticket to trigger an out-of-bounds memory read error and cause the target server to crash [CVE-2016-6302].

A remote user can trigger an integer overflow in the MDC2_Update() function in 'crypto/mdc2/mdc2dgst.c' and cause the target service to crash in certain cases [CVE-2016-6303].

A remote user can trigger an out-of-bounds memory read error in the processing of certain TLS/SSL protocol handshake messages and cause the target application or service to crash [CVE-2016-6306]. Version 1.1.0 is not affected.

A remote user can trigger a memory allocation error in tls_get_message_header() to temporarily consume excessive memory resources on the target system [CVE-2016-6307]. DTLS users are not affected. Version 1.1.0 is affected.

A remote user can trigger a memory allocation error in dtls1_preprocess_fragment() to temporarily consume excessive memory resources on the target system [CVE-2016-6308]. TLS users are not affected. Version 1.1.0 is affected.

Shi Lei (Gear Team, Qihoo 360 Inc.) reported these vulnerabilities.

Impact:   A remote user can cause the target service or application to crash.
Solution:   Cisco has issued an advisory for CVE-2016-6302, CVE-2016-6303, and CVE-2016-6306 for Cisco IP Phones.

The following models are affected:

Cisco Unified IP 6945 Phone
Cisco Unified IP 7900 Series Phones
Cisco IP 7800 Series Phones
Cisco Unified IP 8831 Conference Phone
Cisco Unified IP 8945 Phone
Cisco Unified IP 8961 Phone
Cisco Unified IP 9951 Phone
Cisco Unified IP 9971 Phone

The Cisco advisory is available at:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl (Links to External Site)
Cause:   Access control error, Boundary error, Resource error

Message History:   This archive entry is a follow-up to the message listed below.
Sep 23 2016 OpenSSL Multiple Bugs Let Remote Users Cause the Target Service to Crash



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC