Skip to main content

OpenSSL `asn1_d2i_read_bio()´ DER Format Data Processing Vulnerability

Last Update Date: 22 May 2012 Release Date: 20 Apr 2012 4527 Views

RISK: High Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

A vulnerability has been identified in OpenSSL, which can be exploited by malicious people to potentially compromise an application using the library.

The vulnerability is caused due to a type casting error in the "asn1_d2i_read_bio()" function when processing DER format data and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code, but may require a target to be running on a 64-bit system.


Impact

  • Remote Code Execution

System / Technologies affected

  • OpenSSL versions prior to 0.9.8v, 1.0.1a, and 1.0.0i.

NOTE: Applications that use PEM only routines are not affected.


Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 0.9.8v, 1.0.1a, and 1.0.0i.

Vulnerability Identifier


Source


Related Link