Denial of service in OpenSSL

Published: 2016-09-22

Risk	Low
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2016-6304 CVE-2016-6305
CWE-ID	CWE-400 CWE-120
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	OpenSSL Server applications / Encryption software
Vendor	OpenSSL Software Foundation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Denial of service

EUVDB-ID: #VU819

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6304

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to insufficient validation of input length. By sending messages with excessive length attackers can cause resource exhaustion that leads to denial of service
Successful exploitation of the vulnerability allows a malicious user to trigger the vulnerable service to deny.

Mitigation

Update 1.1.0 to version 1.1.0a.
Update 1.0.2 to version 1.0.2i.
Update 1.0.1 to version 1.0.1u.

Vulnerable software versions

OpenSSL: 1.0.1 - 1.1.0

External links

http://www.openssl.org/news/secadv/20160922.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Denial of service

EUVDB-ID: #VU820

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6305

CWE-ID: CWE-120 - Buffer overflow