Main Vulnerability Database SB2016062801

SB2016062801 - Incorrect parsing of OSCP messages in OpenBSD

Published: June 28, 2016

Security Bulletin ID SB2016062801

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper input validation (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect parsing of time in Online Certificate Status Protocol (OSCP) messages in "lib/libssl/src/crypto/ocsp/ocsp_cl.c". A remote attacker can send a specially crafted OSCP message and bypass certain security checks.

Successful exploitation of this vulnerability may potentially result in unauthorized access to restricted resources using an outdated certificate.

Remediation

Install update from vendor's website.

References

http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/012_crypto.patch.sig

SB2016062801 - Incorrect parsing of OSCP messages in OpenBSD

Breakdown by Severity

Description

Remediation

References

Please verify you're human