Info

Disclosure

Sep 28, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered due to an error in processing malformed ASN.1 structures which may lead to infinite loop and consumption of memory, and will result in loss of availability for the service.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Disclosure: OSVDB Verified

Solution

Upgrade to version 0.9.7l, 0.9.8d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

The OpenSSL Project	OpenSSL	0.9.7
		0.9.8

CyberGuard Corporation

SnapGear

3.1.4u1

References

CVE ID: 2006-2937 (see also: NVD)
Secunia Advisory ID: 22094 22116 22130 22165 22166 22172 22186 22193 22207 22212 22216 22220 22232 22240 22259 22260 22284 22298 22330 22385 22460 22487 22544 22626 22671 22689 22758 22772 22799 22898 23038 23131 23155 23280 23309 23340 23351 23680 23785 23915 24930 24950 25420 25889 26329 27012 27021 27031 27051 27229 27706 29413 30124 31492 31531
SCIP VulDB ID: 2574
Related OSVDB ID: 29261 29262 29263
Other Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00967144&jumpid=reg_R1002_USEN
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
http://lists.rpath.com/pipermail/security-announce/2007-October/000259.html
http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445&w=2
http://security.freebsd.org/advisories/FreeBSD-SA-07:08.openssl.asc
http://support.attachmate.com/techdocs/2374.html
http://www.debian.org/security/2007/dsa-1379
http://www.gentoo.org/security/en/glsa/glsa-200610-11.xml
http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
http://www.gentoo.org/security/en/glsa/glsa-200711-23.xml
http://www.ipcop.org/modules.php?op=modload&name=News&file=article&sid=31&mode=thread&order=0&thold=0
http://www.novell.com/linux/security/advisories/2007_20_sr.html
http://www.trustix.org/errata/2006/0063/
http://www.ubuntu.com/usn/usn-522-1
http://www.us.debian.org/security/2006/dsa-1185
http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
https://issues.rpath.com/browse/RPL-613
Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://docs.info.apple.com/article.html?artnum=304829
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
http://kolab.org/security/kolab-vendor-notice-11.txt
http://lists.suse.com/archive/suse-security-announce/2006-Oct/0001.html
http://lists.suse.com/archive/suse-security-announce/2006-Sep/0013.html
http://openbsd.org/errata.html#openssl2
http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.566955
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
http://www.f-secure.com/security/fsc-2006-6.shtml
http://www.mandriva.com/security/advisories?name=MDKSA-2006:172-1
http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
http://www.openssl.org/news/secadv_20060928.txt
http://www.trustix.org/errata/2006/0054/
http://www.ubuntu.com/usn/usn-353-1
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
https://issues.rpath.com/browse/RPL-613
Keyword: HPSBMA02250,SSRT061275 HPSBTU02207,SSRT061239,c00967144
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0295.html
http://archives.neohapsis.com/archives/bugtraq/2007-06/0347.html
http://archives.neohapsis.com/archives/bugtraq/2007-08/0069.html
News Article: http://news.com.com/Apple+Mac+OS+X+patch+plugs+31+vulnerabilities/2100-1002_3-6139117.html
Vendor Specific News/Changelog Entry: http://openvpn.net/changelog.html
http://sourceforge.net/forum/forum.php?forum_id=617485
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
http://www.cyberguard.info/snapgear/releases.html
http://www.ingate.com/relnote-452.php
http://www.serv-u.com/releasenotes/
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
RedHat RHSA: RHSA-2006:0695

Credit

Dr. S. N. Henson - The OpenSSL Project
Open Network Security - Open Network Security

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

The OpenSSL Project

OpenSSL

CyberGuard Corporation

SnapGear

References

Credit