OpenSSL `asn1_d2i_read_bio()´ DER Format Data Processing Vulnerability

Release Date: 20 / 04 / 2012
Last Update: 22 / 05 / 2012
Criticality Level:  

A vulnerability has been identified in OpenSSL, which can be exploited by malicious people to potentially compromise an application using the library.

The vulnerability is caused due to a type casting error in the "asn1_d2i_read_bio()" function when processing DER format data and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code, but may require a target to be running on a 64-bit system.

  • Remote Code Execution
  • OpenSSL versions prior to 0.9.8v, 1.0.1a, and 1.0.0i.

NOTE: Applications that use PEM only routines are not affected.

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 0.9.8v, 1.0.1a, and 1.0.0i.