F5 Networks BIG-IP : OpenSSL vulnerability (K17248)
High Nessus Plugin ID 85890
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionThe Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. (CVE-2010-0742)
A locally authenticated user, with a role that allowsadvanced shell (bash) access, may be able to exploit OpenSSL to modify invalid memory locations or conduct double-free attacks, and execute arbitrary code.
However, affected F5 products that contain the vulnerable software component do not use the components in a way that exposes this vulnerability. There are no remote access vectors for this issue, and there is no data plane exposure.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K17248.