OpenSSL "asn1_d2i_read_bio ()" DER format Data Processing Vulnerability
Release date: 2012-04-19
Updated on: 2012-04-20
Affected Systems:
OpenSSL Project OpenSSL 1.x
OpenSSL Project OpenSSL 0.x
Unaffected system:
OpenSSL Project OpenSSL 1.0.1a
OpenSSL Project OpenSSL 1.0.0i
OpenSSL Project OpenSSL 0.9.8v
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53158
Cve id: CVE-2012-2110
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
When OpenSSL processes DER format data, there is a type conversion error in the "asn1_d2i_read_bio ()" function, which can be exploited to cause heap buffer overflow and arbitrary code execution. The platform is a 64-bit system.
<* Source: Tavis Ormandy (taviso@gentoo.org)
Link: http://www.openssl.org/news/secadv_20120419.txt
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20120419) and corresponding patches:
Secadv_20120419: OpenSSL Security Advisory [19 Apr 2012]
Link: http://www.openssl.org/news/secadv_20120419.txt