tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in OpenSSL Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in OpenSSL Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2016-070

DATE(S) ISSUED:

05/03/2016

OVERVIEW:

Multiple vulnerabilities have been discovered in OpenSSL, the most severe of which could allow for arbitrary code execution. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation of these vulnerabilities could result in arbitrary code execution in the context of the application, an attacker gaining elevated privileges, gaining sensitive information or bypassing security restrictions. Failed exploit attempts will most likely result in denial-of-service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • OpenSSL versions 1.0.2 prior to 1.0.2h
  • OpenSSL versions 1.0.1 prior to 1.0.1t

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

OpenSSL is prone to multiple vulnerabilities, the most severe of which could allow for arbitrary code execution. The vulnerabilities are as follows:

Multiple arbitrary code execution vulnerabilities exist in the 'EVP_EncodeUpdate()' & 'EVPEncryptUpdate()' functions as they fail to adequately bounds-check user supplied data before copying it into an insufficiently sized buffer. (CVE-2016-2105, CVE-2016-2106)

A memory exhaustion vulnerability in BIO functions when they parse ASN.1 data. (CVE-2016-2109)

Multiple information disclosure vulnerabilities exist in OpenSSL. (CVE-2016-2107, CVE-2016-2176)

Successful exploitation of these vulnerabilities could result in arbitrary code execution in the context of the application, an attacker gaining elevated privileges, gaining sensitive information or bypassing security restrictions. Failed exploit attempts will most likely result in denial-of-service conditions.

Successful exploitation of these vulnerabilities could result in remote code execution in the context of the application, an attacker gaining elevated privileges, blocking access to a Bluetooth device, or bypassing security restrictions.

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate updates provided by OpenSSL and/or applicable vendors to vulnerable systems, immediately after appropriate testing.

Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

Do not use the same OpenSSL private keys across multiple systems and update OpenSSL keys periodically.

Disable legacy support for SSLv2 and v3, and TLS 1.0 and 1.1. Migrate fully to TLS 1.2 where possible after appropriate testing.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security