In association with heise online

28 September 2007, 14:38

Vulnerability in OpenSSL

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A year after an update was released to close a critical hole in versions 0.9.7k and 0.9.8c of OpenSSL, a report now says that the hole was not completely closed. Moritz Jodeit writes that the patch only limits the extent of a buffer overflow in the function SSL_get_shared_ciphers, rather than preventing the buffer overflow altogether. An off-by-one overflow is it still at least possible in the current versions 0.9.7m and 0.9.8e and would potentially allow code to be executed. While code generally cannot be injected by means of off-by-one buffer overflows because only a single byte can be overwritten, function pointers can, for example, be redirected by this means.

If an application uses the function SSL_get_shared_ciphers, an attacker can provoke an overflow by using a specially crafted list of algorithms. The applications that may be affected include, among others, web servers with client authentication, mail servers (Exim), mail applications (S/MIME), and VPNs (OpenVPN).

The flaw has been remedied in the CVS at since September 19. It is not yet clear when the official remedied versions of OpenSSL will be released.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit