OpenSSL PKCS7_dataDecode Function Denial of Service Vulnerability (CVE-2015-1790)

OpenSSL PKCS7_dataDecode Function Denial of Service Vulnerability (CVE-2015-1790)
OpenSSL PKCS7_dataDecode Function Denial of Service Vulnerability (CVE-2015-1790)

Release date:
Updated on:

Affected Systems:

OpenSSL Project OpenSSL 〈 0.9.8zg
OpenSSL Project OpenSSL < 1.0.2b
OpenSSL Project OpenSSL < 1.0.1n
OpenSSL Project OpenSSL < 1.0.0s

Description:

CVE (CAN) ID: CVE-2015-1790

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.

The PKCS7_dataDecode function in crypto/pkcs7/pk7_doit.c has a security vulnerability in OpenSSL versions earlier than 0.9.8zg, 1.0.0s, 1.0.1n, and 1.0.2b, remote attackers can exploit this vulnerability to cause DoS by using the PKCS #7 blob encoded by ASN.1 and without the internal EncryptedContent data (indirect NULL pointer reference and application crash ).

<* Source: Michal zarewski

Link: https://www.openssl.org/news/secadv_20150611.txt
*>

Suggestion:

Vendor patch:

OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20150611) and corresponding patches:
Secadv_20150611: OpenSSL Security Advisory [11 Jun 2015]
Link: https://www.openssl.org/news/secadv_20150611.txt

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: