SynopsisThe remote web server is running an outdated instance of OpenSSL and that is affected by multiple vulnerabilities.
DescriptionAccording to its banner, the version of OpenSSL on the remote host is 1.0.1 prior to 1.0.1u, or 1.0.2 prior to 1.0.2i. It is therefore affected by the following vulnerabilities :
- A flaw exists in 'ssl/s3_srvr.c', 'ssl/ssl_sess.c', and 'ssl/t1_lib.c' that may under certain circumstances lead to integer overflows and allow an attacker to have an unspecified impact. (CVE-2016-2177)
- A flaw exists in 'crypto/dsa/dsa_ossl.c' that is triggered as the DSA signing algorithm does not properly run in constant time. This may potentially allow a context-dependent attacker to conduct e.g. a side channel attack and gain unauthorized access to DSA key information. (CVE-2016-2178)
- A flaw exists that is due to the system not handling fragmented DTLS buffered messages correctly. There are two scenarios where messages could result in the queue not being cleared and memory not being freed. The first occurs when a full message is received after a fragment of the same message, and the system uses the full message while ignoring the fragmented message without removing it from queue. The second occurs when a peer sends a 'future' message with extraneous packets containing a sequence number higher than the Finished message, resulting in the packets not being removed from queue. With a saturation of either type of message, a remote attacker can exhaust up to 1500k of memory per connection, exhausting memory leading to a remote denial of service. (CVE-2016-2179)
- An out-of-bounds read flaw exists in the 'TS_OBJ_print_bio()' function in 'crypto/ts/ts_lib.c'. This may allow a context-dependent attacker to have an unspecified impact that may potentially include crashing a process linked against the library or disclosing memory contents. (CVE-2016-2180)
- A flaw exists in the DTLS implementation that is triggered when handling epoch sequence numbers in records. This may allow a remote attacker to cause legitimate packets to be dropped. (CVE-2016-2181)
- An overflow condition exists in the 'BN_bn2dec()' function in 'crypto/bn/bn_print.c'. The issue is triggered as certain input is not properly validated when handling BIGNUM values. This may allow a context-dependent attacker to cause a buffer overflow, resulting in a denial of service in a process linked against the library. (CVE-2016-2182)
- A flaw exists in the 'tls_decrypt_ticket()' function in 'ssl/t1_lib.c' that is triggered during the handling of ticket HMAC digest. This may allow a remote attacker to crash the service. (CVE-2016-6302)
- An overflow condition exists in the 'MDC2_Update()' function in 'crypto/mdc2/mdc2dgst.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-6303)
- A flaw exists in the 'ssl_parse_clienthello_tlsext()' function in 'ssl/t1_lib.c' that is triggered when handling overly large OCSP Status Request extensions from clients. This may allow a remote attacker to exhaust available memory in a process linked against the library. (CVE-2016-6304)
- An out-of-bounds read flaw exists that is triggered when handling client certificate, client certificate request, and server certificate messages. This may allow a remote attacker to potentially crash a process linked against the library. (CVE-2016-6306)
SolutionUpgrade OpenSSL to version 1.0.2i or later. If version 1.0.2i or later cannot be obtained, version 1.0.1u is also patched for these vulnerabilities.