Info

Disclosure

Jul 30, 2002

Discovery

Unknown

Dates

Exploit

Jul 30, 2002

Solution

Unknown

Description

OpenSSL's ASN.1 parser contains a flaw that may allow a malicious user to cause Denial of Service conditions. The issue is triggered when invalid ASN.1 encodings are supplied to the parser. It is possible that the flaw may allow crashing of OpenSSL, resulting in a loss of availability.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Denial of Service, Input Manipulation
Impact: Loss of Availability
Exploit: Exploit Public

Solution

Upgrade to version 0.9.6e or higher and recompile all applications that were statically linked to OpenSSL, as that has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch to affected versions.

Products

OpenSSL Project	OpenSSL	0.9.1x
		0.9.2x
		0.9.3x
		0.9.4x
		0.9.5x
		0.9.6
		0.9.6a
		0.9.6b
		0.9.6c
		0.9.6d
		0.9.7-beta1
		0.9.7-beta2

Novell, Inc.

iManager

2.02

References

Secunia Advisory ID: 15677 7066 8732
CVE ID: 2002-0659 (see also: NVD) 2005-1730 (see also: NVD)
Bugtraq ID: 5366 8732
ISS X-Force ID: 9718
VUPEN Advisory: ADV-2005-0744
Vendor Specific Advisory URL: ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-033.1.txt ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:33.openssl.asc ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000516
http://lists.trustix.org/pipermail/tsl-announce/2002-July/000106.html
http://mail-archives.engardelinux.org/engarde-users/2002/Jul/0080.html
http://www.debian.org/security/2002/dsa-136
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=FA-SW-0208-001&viewMode=view
http://www.openpkg.org/security/OpenPKG-SA-2002.008-openssl.html
http://www.openssl.org/news/secadv_20020730.txt
http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-arc-101497.html
http://www.oracle.com/technology/deploy/security/pdf/opensslAlert.pdf
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0151.html
http://lwn.net/Alerts/6377/
Other Advisory URL: http://cirt.dk/advisories/cirt-32-advisory.pdf
RedHat RHSA: RHSA-2002:161

Credit

Adi Stav - stavmercury.co.il -
James Yonan - jimntlp.com -

Direct URL: http://osvdb.org/3943

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

OpenSSL Project

OpenSSL

Novell, Inc.

iManager

References

Credit