×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In Cloud Security CIS Cloud Security Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite®
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

Vulnerability in OpenSSL Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2016-141

DATE(S) ISSUED:

09/19/2016

OVERVIEW:

A vulnerability has been discovered in OpenSSL which could allow for arbitrary code execution. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation could result in the attacker executing arbitrary code in the context of the user running the affected application. Failed exploit attempts will most likely result in denial-of-service conditions.

THREAT INTELLIGENCE:

There are currently no reports of the vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • OpenSSL versions prior to 1.1.0

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

OpenSSL is prone to a vulnerability which could allow for arbitrary code execution. The vulnerability is as follows:

OpenSSL is prone to an integer-overflow vulnerability because of an out-of-bound write error. Specifically, this issue affects the 'MDC2_Update()' function of 'crypto/mdc2/mdc2dgst.c' source file.

Successful exploitation could result in the attacker executing arbitrary code in the context of the user running the affected application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Failed exploit attempts will likely result in denial-of-service conditions.

RECOMMENDATIONS:

RECOMMENDATIONS:
We recommend the following actions be taken:
• Apply appropriate updates provided by OpenSSL and/or applicable vendors to vulnerable systems, immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not use the same OpenSSL private keys across multiple systems and update OpenSSL keys periodically..

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources





Arrow Apache HTTP Server

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0