OpenSSL 1.0.1 < 1.0.1o ASN.1 Encoder Negative Zero Value Handling RCE
Critical Nessus Plugin ID 90888
SynopsisThe remote service is affected by a remote code execution vulnerability.
DescriptionAccording to its banner, the remote host is running a version of OpenSSL 1.0.1 prior to 1.0.1o. It is, therefore, affected by a remote code execution vulnerability in the ASN.1 encoder due to an underflow condition that occurs when attempting to encode the value zero represented as a negative integer. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.
SolutionUpgrade to OpenSSL version 1.0.1o or later.