New Fix for OpenSSL Bug

Monday, April 30, 2012 @ 07:04 PM gHale


OpenSSL developers have to re-release the fix for a serious vulnerability in the software’s ASN.1 implementation that could allow an attacker to cause a denial of service or potentially run arbitrary code on a remote machine.

The updated fix only applies to version 0.9.8v; all of the other previously affected versions already have protection with the existing patch.

RELATED STORIES
Scripting Language Security Fixes
Ruby Fixes RubyGems Security
OpenSSL Closes Security Holes
OpenSSL Not Completely Secure

OpenSSL released the original advisory and fix for the CVE-2012-2110 vulnerability last week, fixing the bug in versions 0.9.8, 1.0.1a and 1.0.0i. But after releasing the fixes, Red Hat discovered the fix for version 0.9.8 didn’t completely address the vulnerability, hence the new patch.

“The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key,” according to the description of the bug in the National Vulnerability Database.

OpenSSL developers are encouraging users to upgrade to the patched versions as soon as they can.



Leave a Reply

You must be logged in to post a comment.