PolarSSL 'asn1_get_sequence_of' Function Uninitialized Pointer RCE
Medium Nessus Plugin ID 81047
SynopsisThe remote SSL server is vulnerable to remote code execution.
DescriptionPolarSSL contains a flaw when parsing ASN.1 sequences from X.509 certificates due to freeing an uninitialized pointer by the function 'asn1_get_sequence_of' within file 'asn1parse.c'. An unauthenticated, remote attacker, using a specially crafted certificate, can exploit this flaw to cause a denial of service or execute arbitrary code.
This plugin sends client certificates with an X.509 Extended Key Usage extension that contains a malformed key purpose OID. PolarSSL allocates a 'asn1_sequence' structure to store the OID. For this plugin to work, the following conditions must be met :
- (1) The 'next' field of the allocated 'asn_sequence' structure for the malformed key purpose OID must be non-zero.
- (2) The SSL server requests a client certificate.
SolutionFollow the instructions in the vendor advisory.