Vulnerability in OpenSSL
A year after an update was released to close a critical hole in versions 0.9.7k and 0.9.8c of OpenSSL, a report now says that the hole was not completely closed. Moritz Jodeit writes that the patch only limits the extent of a buffer overflow in the function SSL_get_shared_ciphers, rather than preventing the buffer overflow altogether. An off-by-one overflow is it still at least possible in the current versions 0.9.7m and 0.9.8e and would potentially allow code to be executed. While code generally cannot be injected by means of off-by-one buffer overflows because only a single byte can be overwritten, function pointers can, for example, be redirected by this means.
If an application uses the function SSL_get_shared_ciphers, an attacker can provoke an overflow by using a specially crafted list of algorithms. The applications that may be affected include, among others, web servers with client authentication, mail servers (Exim), mail applications (S/MIME), and VPNs (OpenVPN).
- OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow, security advisory by Moritz Jodeit