PolarSSL 'asn1_get_sequence_of' Function Uninitialized Pointer RCE

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote SSL server is vulnerable to remote code execution.

Description :

PolarSSL contains a flaw when parsing ASN.1 sequences from X.509
certificates due to freeing an uninitialized pointer by the function
'asn1_get_sequence_of' within file 'asn1parse.c'. An unauthenticated,
remote attacker, using a specially crafted certificate, can exploit
this flaw to cause a denial of service or execute arbitrary code.

This plugin sends client certificates with an X.509 Extended Key Usage
extension that contains a malformed key purpose OID. PolarSSL
allocates a 'asn1_sequence' structure to store the OID. For this
plugin to work, the following conditions must be met :

- (1) The 'next' field of the allocated 'asn_sequence'
structure for the malformed key purpose OID must be
non-zero.

- (2) The SSL server requests a client certificate.

See also :

http://www.nessus.org/u?8e6caee6
http://www.certifiedsecure.com/polarssl-advisory/

Solution :

Follow the instructions in the vendor advisory.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: General

Nessus Plugin ID: 81047 ()

Bugtraq ID:

CVE ID: CVE-2015-1182

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now