This script is Copyright (C) 2015 Tenable Network Security, Inc.
The remote SSL server is vulnerable to remote code execution.
PolarSSL contains a flaw when parsing ASN.1 sequences from X.509
certificates due to freeing an uninitialized pointer by the function
'asn1_get_sequence_of' within file 'asn1parse.c'. An unauthenticated,
remote attacker, using a specially crafted certificate, can exploit
this flaw to cause a denial of service or execute arbitrary code.
This plugin sends client certificates with an X.509 Extended Key Usage
extension that contains a malformed key purpose OID. PolarSSL
allocates a 'asn1_sequence' structure to store the OID. For this
plugin to work, the following conditions must be met :
- (1) The 'next' field of the allocated 'asn_sequence'
structure for the malformed key purpose OID must be
- (2) The SSL server requests a client certificate.
See also :
Follow the instructions in the vendor advisory.
Risk factor :
Medium / CVSS Base Score : 6.8