tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in OpenSSL Could Allow for Remote Code Execution.

Multiple Vulnerabilities in OpenSSL Could Allow for Remote Code Execution.

MS-ISAC ADVISORY NUMBER:

2016-147

DATE(S) ISSUED:

09/26/2016

OVERVIEW:

Multiple vulnerabilities have been discovered in OpenSSL, the most severe of which could allow for remote code execution. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation in the most severe of these vulnerabilities could result in the attacker executing remote code in the context of the user running the affected application. Failed exploit attempts will most likely result in denial-of-service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • OpenSSL version 1.1.0a
  • OpenSSL version 1.0.2i

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
N/A

TECHNICAL SUMMARY:

Multiple Vulnerabilities have been discovered in OpenSSL, the most severe of which could allow for remote code execution. The vulnerabilities are as follows:

OpenSSL is prone to a remote code execution vulnerability because of a use-after-free error. Specifically, this issue occurs when the incoming message size is larger than 16k. (CVE-2016-6309)
Any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. (CVE-2016-7052)
Successful exploitation of the most severe of these vulnerabilities could result in the attacker executing remote code in the context of the user running the affected application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Failed exploit attempts will likely result in denial of service conditions.

RECOMENDATIONS:

We recommend the following actions be taken:

•Apply appropriate updates provided by OpenSSL and/or applicable vendors to vulnerable systems, immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not use the same OpenSSL private keys across multiple systems and update OpenSSL keys periodically.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security CIS Benchmark and Other Tools for Related Technology Arrow Apache HTTP Server