Denial of service in OpenSSL

#VU645 Denial of service in OpenSSL

Published: 2016-09-23

Vulnerability identifier: #VU645

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6305

CWE-ID: CWE-371

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description
The vulnerability allows a remote authenticated user to trigger denial of service on the target system.
The weakness exists due to state error. By sendidng specially crafted files attackers can cause a flaw in SSL_peek() that may lead to the affected service hanging.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Mitigation
Update to 1.1.0a.

Vulnerable software versions

OpenSSL: 1.1.0

External links
http://www.openssl.org/news/secadv/20160922.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM FOS Firmware

Multiple vulnerabilities in Multiple N series Products

Amazon Linux AMI update for openssl