OpenSSL 1.0.2 < 1.0.2c ASN.1 Encoder Negative Zero Value Handling RCE
Critical Nessus Plugin ID 90889
SynopsisThe remote service is affected by a remote code execution vulnerability.
DescriptionAccording to its banner, the remote host is running a version of OpenSSL 1.0.2 prior to 1.0.2c. It is, therefore, affected by a remote code execution vulnerability in the ASN.1 encoder due to an underflow condition that occurs when attempting to encode the value zero represented as a negative integer. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.
SolutionUpgrade to OpenSSL version 1.0.2c or later.