Security researchers have discovered a pair of vulnerabilities in the OpenSSL software package, one of which may allow an attacker to execute code on vulnerable machines.
Both vulnerabilities have to do with the way the package interacts with ASN.1 (Abstract Syntax Notation One), a low-level language used to describe abstract syntax. OpenSSL implements both the SSL and TLS security protocols, and though neither protocol is based on ASN.1, they do handle ASN.1 objects.
The more serious of the two new flaws concerns the way that OpenSSL “deallocates” memory that is used to store ASN.1 structures. When the parser in OpenSSL comes across an encoded structure that it judges to be invalid, its behavior becomes unpredictable. The vulnerability can be used to cause a denial of service condition in vulnerable systems, according to an advisory published Tuesday by the CERT Coordination Center, in Pittsburgh.
CERT added that this flaw may be exploited to run code on vulnerable machines as well, under certain circumstances.
The second weakness is related to the way that ASN.1 tags are handled by OpenSSL. An unusual tag value could produce a denial of service in affected machines.
All versions of OpenSSL prior to 0.9.7c or 0.9.7k are vulnerable to these issues, as are all versions of SSLeay. The OpenSSL Project has produced a new version of the toolkit, which addresses these flaws.
OpenSSL is an open-source toolkit that is used in a number of popular applications.
Discuss this in the eWEEK forum.
