Denial of service in OpenSSL and Oracle VM VirtualBox

#VU815 Denial of service in OpenSSL and Oracle VM VirtualBox

Published: 2016-10-10 | Updated: 2017-01-05

Vulnerability identifier: #VU815

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6303

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software
Oracle VM VirtualBox
Server applications / Virtualization software

Vendor: OpenSSL Software Foundation
Oracle

Description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the vulnerable system.
The weakness is caused by integer overflow in the MDC2_Update() function in 'crypto/mdc2/mdc2dgst.c'. By using large ammounts of input data attackers are able to trigger error in input length validation that leads to crash of the affected service.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.

Mitigation
Update 1.0.2 to version 1.0.2i.
Update 1.0.1 to version 1.0.1u.

Vulnerable software versions

OpenSSL: 1.0.2, 1.0.1

Oracle VM VirtualBox: 5.0.27, 5.1.7

External links
http://www.openssl.org/news/secadv/20160922.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell Networker

Multiple vulnerabilities in IBM FOS Firmware

Multiple vulnerabilities in Multiple N series Products

openSUSE update for openssl-steam

Denial of service in openssl (Alpine package)