OpenSSL 1.1.0 < 1.1.0a Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote service is affected by multiple vulnerabilities.

Description :

According to its banner, the remote host is running a version of
OpenSSL 1.1.0 prior to 1.1.0a. It is, therefore, affected by the
following vulnerabilities :

- A flaw exists in the ssl_parse_clienthello_tlsext()
function in t1_lib.c due to improper handling of overly
large OCSP Status Request extensions from clients. An
unauthenticated, remote attacker can exploit this, via
large OCSP Status Request extensions, to exhaust memory
resources, resulting in a denial of service condition.
(CVE-2016-6304)

- A flaw exists in the SSL_peek() function in
rec_layer_s3.c due to improper handling of empty
records. An unauthenticated, remote attacker can exploit
this, by triggering a zero-length record in an SSL_peek
call, to cause an infinite loop, resulting in a denial
of service condition. (CVE-2016-6305)

- A denial of service vulnerability exists in the
state-machine implementation due to a failure to check
for an excessive length before allocating memory. An
unauthenticated, remote attacker can exploit this, via a
crafted TLS message, to exhaust memory resources.
(CVE-2016-6307)

- A denial of service vulnerability exists in the DTLS
implementation due to improper handling of excessively
long DTLS messages. An unauthenticated, remote attacker
can exploit this, via a crafted DTLS message, to exhaust
available memory resources. (CVE-2016-6308)

- A flaw exists in the GOST ciphersuites due to the use of
long-term keys to establish an encrypted connection. A
man-in-the-middle attacker can exploit this, via a Key
Compromise Impersonation (KCI) attack, to impersonate
the server. (VulnDB 144759)

See also :

https://www.openssl.org/news/secadv/20160922.txt
http://www.nessus.org/u?09b29b30

Solution :

Upgrade to OpenSSL version 1.1.0a or later.

Note that the GOST ciphersuites vulnerability (VulnDB 144759) is not
yet fixed by the vendor in an official release; however, a patch for
the issue has been committed to the OpenSSL github repository.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 5.8
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 93816 ()

Bugtraq ID: 93149
93150
93151
93152

CVE ID: CVE-2016-6304
CVE-2016-6305
CVE-2016-6307
CVE-2016-6308

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now