Debian update for openssl095
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2003-0543 CVE-2003-0544 CVE-2003-0545 |
| CWE-ID | CWE-190 CWE-20 CWE-119 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU249
Risk: Medium
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2003-0543
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer overflow in OpenSSL 0.9.6 and 0.9.7. A remote unauthenticated attacker can cause a denial of service via an SSL client certificate with certain ASN.1 tag values.
Successful exploitation of this vulnerability may result in cause a denial of service.
Update the affected package to version:
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.openssl.org/news/vulnerabilities.html#y2002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper input validation
EUVDB-ID: #VU248
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2003-0544
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect tracking of the number of characters in certain ASN.1 inputs. A remote unauthenticated attacker can cause a denial of service by sending an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used.
Successful exploitation of this vulnerability may result in a denial of service.
Update the affected package to version:
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.openssl.org/news/vulnerabilities.html#y2002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) ASN.1 parser deallocation buffer overflow
EUVDB-ID: #VU247
Risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID: CVE-2003-0545
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists in OpenSSL. A remote unauthenticated attacker can cause a denial of service and possible arbitrary code execution via an SSL client certificate with a certain invalid ASN.1 encoding.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Update the affected package to version:
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.openssl.org/news/vulnerabilities.html#y2002
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
