FreeBSD Security Advisory (openssl)

The FreeBSD Security Team has identified a security bug in openssl:

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

II. Problem Description

A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL’s internal caching mechanism. The race condition can lead to a buffer overflow.

A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers.

III. Impact

For affected server applications, an attacker may be able to utilize the buffer overflow to crash the application or potentially run arbitrary code with the privileges of the application.

It may be possible to cause a DoS or potentially execute arbitrary in the context of the user connection to a malicious SSL server.

To find out more about the impact, a work-around and solution, check out the advisory page: FreeBSD Security Advisory (openssl)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>