Several vulnerabilities were discovered in OpenSSL :

CVE-2016-2177

Guido Vranken discovered that OpenSSL uses undefined pointer arithmetic. Additional information can be found at https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithme tic/

CVE-2016-2178

Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing leak in the DSA code.

CVE-2016-2179 / CVE-2016-2181

Quan Luo and the OCAP audit team discovered denial of service vulnerabilities in DTLS.

CVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303

Shi Lei discovered an out-of-bounds memory read in TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec() and MDC2_Update().

CVE-2016-2183

DES-based cipher suites are demoted from the HIGH group to MEDIUM as a mitigation for the SWEET32 attack.

CVE-2016-6302

Shi Lei discovered that the use of SHA512 in TLS session tickets is susceptible to denial of service.

CVE-2016-6304

Shi Lei discovered that excessively large OCSP status request may result in denial of service via memory exhaustion.

CVE-2016-6306

Shi Lei discovered that missing message length validation when parsing certificates may potentially result in denial of service.

For Debian 7 'Wheezy', these problems have been fixed in version 1.0.1t-1+deb7u1.

We recommend that you upgrade your openssl and libssl1.0.0 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for openssl fixes the following issues :

OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)

Severity: High

  - OCSP Status Request extension unbounded memory growth     (CVE-2016-6304) (bsc#999666)

Severity: Low

  - Pointer arithmetic undefined behaviour (CVE-2016-2177)     (bsc#982575)

  - Constant time flag not preserved in DSA signing     (CVE-2016-2178) (bsc#983249)

  - DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)

  - OOB read in TS_OBJ_print_bio() (CVE-2016-2180)     (bsc#990419)

  - DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)

  - OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)

  - Birthday attack against 64-bit block ciphers (SWEET32)     (CVE-2016-2183) (bsc#995359)

  - Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)

  - OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)

  - Certificate message OOB reads (CVE-2016-6306)     (bsc#999668)

More information can be found on:
https://www.openssl.org/news/secadv/20160922.txt

Also following bugs were fixed :

  - update expired S/MIME certs (bsc#979475)

  - improve s390x performance (bsc#982745)

  - allow >= 64GB AESGCM transfers (bsc#988591)

  - fix crash in print_notice (bsc#998190)

  - resume reading from /dev/urandom when interrupted by a     signal (bsc#995075)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

The version of OpenSSL installed on the remote host is prior to 1.0.1u. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.0.1u advisory.

  - Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a     allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request     extensions. (CVE-2016-6304)

  - The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to     cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c     and s3_srvr.c. (CVE-2016-6306)

  - Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows     remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have     unspecified other impact via unknown vectors. (CVE-2016-6303)

  - The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size     during validation of the ticket length, which allows remote attackers to cause a denial of service via a     ticket that is too short. (CVE-2016-6302)

  - The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries     associated with unused out-of-order messages, which allows remote attackers to cause a denial of service     (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c,     statem_dtls.c, statem_lib.c, and statem_srvr.c. (CVE-2016-2179)

  - The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new     epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial     of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and     ssl3_record.c. (CVE-2016-2181)

  - The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division     results, which allows remote attackers to cause a denial of service (out-of-bounds write and application     crash) or possibly have unspecified other impact via unknown vectors. (CVE-2016-2182)

  - The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp     Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of     service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the     openssl ts command. (CVE-2016-2180)

  - The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure     the use of constant-time operations, which makes it easier for local users to discover a DSA private key     via a timing side-channel attack. (CVE-2016-2178)

  - OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might     allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly     have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c,     and t1_lib.c. (CVE-2016-2177)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of OpenSSL on the remote host is 1.0.1 prior to 1.0.1u, or 1.0.2 prior to 1.0.2i.  It is therefore affected by the following vulnerabilities :

 - A flaw exists in 'ssl/s3_srvr.c', 'ssl/ssl_sess.c', and 'ssl/t1_lib.c' that may under certain circumstances lead to integer overflows and allow an attacker to have an unspecified impact. (CVE-2016-2177)
 - A flaw exists in 'crypto/dsa/dsa_ossl.c' that is triggered as the DSA signing algorithm does not properly run in constant time.  This may potentially allow a context-dependent attacker to conduct e.g. a side channel attack and gain unauthorized access to DSA key information. (CVE-2016-2178)
 - A flaw exists that is due to the system not handling fragmented DTLS buffered messages correctly.  There are two scenarios where messages could result in the queue not being cleared and memory not being freed.  The first occurs when a full message is received after a fragment of the same message, and the system uses the full message while ignoring the fragmented message without removing it from queue.  The second occurs when a peer sends a 'future' message with extraneous packets containing a sequence number higher than the Finished message, resulting in the packets not being removed from queue.  With a saturation of either type of message, a remote attacker can exhaust up to 1500k of memory per connection, exhausting memory leading to a remote denial of service. (CVE-2016-2179)
 - An out-of-bounds read flaw exists in the 'TS_OBJ_print_bio()' function in 'crypto/ts/ts_lib.c'.  This may allow a context-dependent attacker to have an unspecified impact that may potentially include crashing a process linked against the library or disclosing memory contents. (CVE-2016-2180)
 - A flaw exists in the DTLS implementation that is triggered when handling epoch sequence numbers in records.  This may allow a remote attacker to cause legitimate packets to be dropped. (CVE-2016-2181)
 - An overflow condition exists in the 'BN_bn2dec()' function in 'crypto/bn/bn_print.c'.  The issue is triggered as certain input is not properly validated when handling BIGNUM values. This may allow a context-dependent attacker to cause a buffer overflow, resulting in a denial of service in a process linked against the library. (CVE-2016-2182)
 - A flaw exists in the 'tls_decrypt_ticket()' function in 'ssl/t1_lib.c' that is triggered during the handling of ticket HMAC digest.  This may allow a remote attacker to crash the service. (CVE-2016-6302)
 - An overflow condition exists in the 'MDC2_Update()' function in 'crypto/mdc2/mdc2dgst.c' that is triggered as certain input is not properly validated.  This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-6303)
 - A flaw exists in the 'ssl_parse_clienthello_tlsext()' function in 'ssl/t1_lib.c' that is triggered when handling overly large OCSP Status Request extensions from clients.  This may allow a remote attacker to exhaust available memory in a process linked against the library. (CVE-2016-6304)
 - An out-of-bounds read flaw exists that is triggered when handling client certificate, client certificate request, and server certificate messages.  This may allow a remote attacker to potentially crash a process linked against the library. (CVE-2016-6306)

The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out- of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

ID	Name	Product	Family	Published	Updated	Severity
93690	Debian DLA-637-1 : openssl security update	Nessus	Debian Local Security Checks	9/26/2016	1/11/2021	critical
93783	openSUSE Security Update : openssl (openSUSE-2016-1134)	Nessus	SuSE Local Security Checks	9/28/2016	1/19/2021	critical
93814	OpenSSL 1.0.1 < 1.0.1u Multiple Vulnerabilities	Nessus	Web Servers	9/30/2016	10/23/2024	critical
9625	OpenSSL 1.0.1 < 1.0.1u / 1.0.2 < 1.0.2i Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	10/6/2016	3/6/2019	high
503119	Siemens SCALANCE X-200RNA Switch Devices Out-of-bounds Read (CVE-2016-6306)	Tenable OT Security	Tenable.ot	3/13/2025	3/13/2025	medium

Detections

Analytics

Plugins Search

critical

critical

critical

high

medium