Security update for OpenSSL removes four holes
New versions of the OpenSSL encryption library remove a total of four holes through which hackers could crash a server, or client, using manipulated packets. One of the holes is based on a buffer overflow and is probably suitable for planting code onto a system. OpenSSL prior to 0.9.7l and prior to 0.9.8d are affected on all operating systems. The updates are available as source code for self-compilers. Linux distributors and teams behind the BSD derivations are also distributing the updated packets. Users should install the packets as soon as possible.
The buffer overflow is located in the SSL_get_shared_ciphers function, the advisory reports. When an application calls that function, an attacker can provoke the overflow through a specially prepared list of algorithms. Potential applications include web servers with client authentication, mail servers (Exim), mail applications (S/MIME), VPNs (OpenVPN) and others. In the simplest case the application just crashes, in a worst case scenario the attacker succeeds in writing his own program onto the stack and launching it. The developers did not provide any further details.
Two other flaws are located in the ASN.1 parser. Certain structures can confuse the parser to the point that it enters into an endless loop, consuming significant memory. The error is not present in versions prior to 0.9.7, the report notes. Several public keys can also cause a disproportionately long processing time, which attackers can exploit for DoS attacks. The fourth error is found within the client code for SSLv2. A rigged server can cause the client to crash.
- OpenSSL Security Advisory [28th September 2006], Advisory from OpenSSL