OpenSSL BN_GF2m_mod_inv Function Denial of Service Vulnerability (CVE-2015-1788)

OpenSSL BN_GF2m_mod_inv Function Denial of Service Vulnerability (CVE-2015-1788)
OpenSSL BN_GF2m_mod_inv Function Denial of Service Vulnerability (CVE-2015-1788)

Release date:
Updated on:

Affected Systems:

OpenSSL Project OpenSSL <1.0.2b
OpenSSL Project OpenSSL <1.0.1n
OpenSSL Project OpenSSL <1.0.0e
OpenSSL Project OpenSSL <0.9.8s

Description:

CVE (CAN) ID: CVE-2015-1788

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.

In versions earlier than OpenSSL 0.9.8s, 1.0.0e, 1.0.1n, and 1.0.2b, the function BN_GF2m_mod_inv in crypto/bn/bn_gf2m.c does not properly process the ECParameters structure. Remote attackers can use the Elliptic Curve algorithm to session, this vulnerability can cause DoS (infinite loops ).

<* Source: Joseph Birr-Pixton

Link: https://www.openssl.org/news/secadv_20150611.txt
*>

Suggestion:

Vendor patch:

OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20150611) and corresponding patches:
Secadv_20150611: OpenSSL Security Advisory [11 Jun 2015]
Link: https://www.openssl.org/news/secadv_20150611.txt

This article permanently updates the link address: