exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenSSL Security Advisory 20031104

OpenSSL Security Advisory 20031104
Posted Nov 4, 2003
Site openssl.org

OpenSSL Security Advisory 20031104 - A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows this large recursion cannot be handled correctly and so the bug causes OpenSSL to crash. A remote attacker could exploit this flaw if they can send arbitrary ASN.1 sequences which would cause OpenSSL to crash. This could be performed for example by sending a client certificate to a SSL/TLS enabled server which is configured to accept them.

tags | advisory, remote, arbitrary
systems | windows
advisories | CVE-2003-0851
SHA-256 | 409756506e14f27eaed3fa2e17e064358dee057651432c52488fd3436c6babf8

OpenSSL Security Advisory 20031104

Change Mirror Download
OpenSSL Security Advisory [4 November 2003]

Denial of Service in ASN.1 parsing
==================================

Previously, OpenSSL 0.9.6k was released on the 30 September 2003 to
address various ASN.1 issues. The issues were found using a test
suite from NISCC (www.niscc.gov.uk) and fixed by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.

Subsequent to that release, Novell Inc. carried out further testing
using the NISCC suite. They discovered that there was a denial of
service vulnerability in OpenSSL version 0.9.6k when running on a
Windows platform.

A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger
a large recursion. On platforms such as Windows this large recursion
cannot be handled correctly and so the bug causes OpenSSL to crash. A
remote attacker could exploit this flaw if they can send arbitrary
ASN.1 sequences which would cause OpenSSL to crash. This could be
performed for example by sending a client certificate to a SSL/TLS
enabled server which is configured to accept them.

We do not believe this issue could be exploited further than a Denial
of Service attack.

Patches for this issue have been created by Dr Stephen Henson
(steve@openssl.org) of the OpenSSL core team.

Who is affected?
----------------

OpenSSL 0.9.6k is affected by the bug, but the denial of service does
not affect all platforms. This issue does not affect OpenSSL 0.9.7.
Currently only OpenSSL running on Windows platforms is known to crash.

Recommendations
---------------

Upgrade to OpenSSL 0.9.6l or 0.9.7c. Recompile any OpenSSL
applications statically linked to OpenSSL libraries.

OpenSSL 0.9.6l is available for download via HTTP and FTP from the
following master locations (you can find the various FTP mirrors under
https://www.openssl.org/source/mirror.html):

o https://www.openssl.org/source/
o ftp://ftp.openssl.org/source/

The distribution file name is:

o openssl-0.9.6l.tar.gz [normal]
MD5 checksum: 843a65ddc56634f0e30a4f9474bb5b27
o openssl-engine-0.9.6l.tar.gz [engine]
MD5 checksum: dd372198cdf31667f2cb29cd76fbda1c

The checksums were calculated using the following command:

openssl md5 < openssl-0.9.6l.tar.gz
openssl md5 < openssl-engine-0.9.6l.tar.gz

References
----------

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0851 to this issue.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0851

URL for this Security Advisory:
https://www.openssl.org/news/secadv_20031104.txt
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close