OSVDB ID: 80040

Title: OpenSSL crypto/asn1/asn_mime.c mime_param_cmp() Function MIME Header Parsing Remote DoS

Info

Disclosure

Mar 12, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Mar 12, 2012

Description

OpenSSL contains a flaw that may allow a remote denial of service. A Null pointer deference in the rypto/asn1/asn_mime.c mime_param_cmp() function when parsing MIME headers will result in a loss of availability for the program.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Solution: Upgrade
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Solution

Upgrade to version 1.0.0h or 0.9.8u or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

The OpenSSL Project	OpenSSL	1.0.0g
		0.9.8t

IBM Corporation	Security Network Intrusion Prevention System	1.7
		1.8
		2.4
		2.5
		3.2
		3.3
		4.1
		4.2
		4.3
		4.4
		4.5

References

Security Tracker: 1026787
CVE ID: 2012-1165 (see also: NVD)
Secunia Advisory ID: 46958 48580 48704 48895 48899 49229 49309 49592 49670 50097 50614 50678 50736 52292 52334 53065
Related OSVDB ID: 80039
Vendor Specific News/Changelog Entry: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory4.asc
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03383940
http://lists.debian.org/debian-security-announce/2012/msg00090.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00018.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00020.html
http://lists.opensuse.org/opensuse-updates/2012-04/msg00022.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00069.html
http://www-01.ibm.com/support/docview.wss?uid=swg21626257
http://www.ibm.com/support/docview.wss?uid=swg21631322
http://www.ubuntu.com/usn/usn-1424-1/
http://www.us.debian.org/security/2012/dsa-2454
Vendor Specific Solution URL: http://cvs.openssl.org/chngview?cn=22252
Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03383940
http://www.openssl.org/news/secadv_20120312.txt
https://downloads.avaya.com/css/P8/documents/100162507
https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03333987&ac.admitted=1337324854606.876444892.492883150
Vendor URL: http://openssl.org/
Packet Storm: http://packetstormsecurity.com/files/121573/HP-Security-Bulletin-HPSBMU02786-SSRT100877-2.html
Mail List Post: http://seclists.org/bugtraq/2012/Jun/170
http://seclists.org/bugtraq/2012/May/98
Other Advisory URL: http://www.openwall.com/lists/oss-security/2012/03/12/3
http://www.openwall.com/lists/oss-security/2012/03/12/6
http://www.openwall.com/lists/oss-security/2012/03/12/7
http://www.openwall.com/lists/oss-security/2012/03/13/2
RedHat RHSA: RHSA-2012:0426 RHSA-2012:1306 RHSA-2012:1307 RHSA-2012:1308

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/80040

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

The OpenSSL Project

OpenSSL

IBM Corporation

Security Network Intrusion Prevention System

References

Credit