OpenSSL 1.1.0 < 1.1.0a Multiple Vulnerabilities

High Nessus Plugin ID 93816

Synopsis

The remote service is affected by multiple vulnerabilities.

Description

According to its banner, the remote host is running a version of OpenSSL 1.1.0 prior to 1.1.0a. It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition.
(CVE-2016-6304)

- A flaw exists in the SSL_peek() function in rec_layer_s3.c due to improper handling of empty records. An unauthenticated, remote attacker can exploit this, by triggering a zero-length record in an SSL_peek call, to cause an infinite loop, resulting in a denial of service condition. (CVE-2016-6305)

- A denial of service vulnerability exists in the state-machine implementation due to a failure to check for an excessive length before allocating memory. An unauthenticated, remote attacker can exploit this, via a crafted TLS message, to exhaust memory resources.
(CVE-2016-6307)

- A denial of service vulnerability exists in the DTLS implementation due to improper handling of excessively long DTLS messages. An unauthenticated, remote attacker can exploit this, via a crafted DTLS message, to exhaust available memory resources. (CVE-2016-6308)

- A flaw exists in the GOST ciphersuites due to the use of long-term keys to establish an encrypted connection. A man-in-the-middle attacker can exploit this, via a Key Compromise Impersonation (KCI) attack, to impersonate the server. (VulnDB 144759)

Solution

Upgrade to OpenSSL version 1.1.0a or later.

Note that the GOST ciphersuites vulnerability (VulnDB 144759) is not yet fixed by the vendor in an official release; however, a patch for the issue has been committed to the OpenSSL github repository.

See Also

https://www.openssl.org/news/secadv/20160922.txt

http://www.nessus.org/u?09b29b30

Plugin Details

Severity: High

ID: 93816

File Name: openssl_1_1_0a.nasl

Version: 1.6

Type: remote

Family: Web Servers

Published: 2016/09/30

Modified: 2018/07/16

Dependencies: 57323

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openssl:openssl

Required KB Items: openssl/port

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/09/22

Vulnerability Publication Date: 2015/08/10

Reference Information

CVE: CVE-2016-6304, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308

BID: 93149, 93150, 93151, 93152