PolarSSL 'asn1_get_sequence_of' Function Uninitialized Pointer RCE

Medium Nessus Plugin ID 81047


The remote SSL server is vulnerable to remote code execution.


PolarSSL contains a flaw when parsing ASN.1 sequences from X.509 certificates due to freeing an uninitialized pointer by the function 'asn1_get_sequence_of' within file 'asn1parse.c'. An unauthenticated, remote attacker, using a specially crafted certificate, can exploit this flaw to cause a denial of service or execute arbitrary code.

This plugin sends client certificates with an X.509 Extended Key Usage extension that contains a malformed key purpose OID. PolarSSL allocates a 'asn1_sequence' structure to store the OID. For this plugin to work, the following conditions must be met :

- (1) The 'next' field of the allocated 'asn_sequence' structure for the malformed key purpose OID must be non-zero.

- (2) The SSL server requests a client certificate.


Follow the instructions in the vendor advisory.

See Also



Plugin Details

Severity: Medium

ID: 81047

File Name: polarssl_cve-2015-1182.nasl

Version: $Revision: 1.1 $

Type: remote

Family: General

Published: 2015/01/28

Modified: 2015/01/28

Dependencies: 21643

Risk Information

Risk Factor: Medium


Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:polarssl:polarssl

Required KB Items: SSL/Supported

Patch Publication Date: 2015/01/19

Vulnerability Publication Date: 2015/01/19

Reference Information

CVE: CVE-2015-1182

OSVDB: 117207