Pair of Flaws Found in OpenSSL
One of the flaws could allow an attacker to execute code on vulnerable machines.Security researchers have discovered a pair of vulnerabilities in the OpenSSL software package, one of which may allow an attacker to execute code on vulnerable machines. Both vulnerabilities have to do with the way the package interacts with ASN.1 (Abstract Syntax Notation One), a low-level language used to describe abstract syntax. OpenSSL implements both the SSL and TLS security protocols, and though neither protocol is based on ASN.1, they do handle ASN.1 objects. The more serious of the two new flaws concerns the way that OpenSSL "deallocates" memory that is used to store ASN.1 structures. When the parser in OpenSSL comes across an encoded structure that it judges to be invalid, its behavior becomes unpredictable. The vulnerability can be used to cause a denial of service condition in vulnerable systems, according to an advisory published Tuesday by the CERT Coordination Center, in Pittsburgh.
CERT added that this flaw may be exploited to run code on vulnerable machines as well, under certain circumstances.