OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
BID:53212
Info
OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
| Bugtraq ID: | 53212 |
| Class: | Design Error |
| CVE: |
CVE-2012-2131 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 24 2012 12:00AM |
| Updated: | May 07 2015 06:17PM |
| Credit: | Red Hat |
| Vulnerable: |
Xerox FreeFlow Print Server (FFPS) 73.C0.41 Xerox FreeFlow Print Server (FFPS) 73.B3.61 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 SuSE SUSE Linux Enterprise Server 10 SP3 LTSS OpenSSL Project OpenSSL 0.9.8v Mandriva Linux Mandrake 2010.1 x86_64 Mandriva Linux Mandrake 2010.1 Juniper Networks SA700 SSL VPN 0 Juniper Networks SA6500 SSL VPN 0 Juniper Networks SA6500 FIPS 0 Juniper Networks SA6000 FIPS 0 Juniper Networks SA4500 SSL VPN 0 Juniper Networks SA2500 SSL VPN 0 IBM Virtual I/O Server (VIOS) 2.1 IBM Virtual I/O Server (VIOS) 2.2 IBM Virtual I/O Server (VIOS) 2.1 IBM Virtual I/O Server (VIOS) 2.0 IBM Virtual I/O Server 2.1.3 IBM Virtual I/O Server 2.1.2 IBM Tivoli Netcool/OMNIbus 7.3 IBM OS/400 V7R1M0 0 IBM OS/400 V6R1M0 IBM Aix 7.1.1 IBM Aix 7.1 IBM Aix 6.1.7 IBM Aix 6.1.6 IBM AIX 6.1.5 IBM AIX 6.1.4 IBM AIX 6.1.3 IBM AIX 6.1.2 IBM AIX 6.1.1 IBM AIX 5.3.10 IBM AIX 5.3.9 IBM AIX 5.3.8 IBM AIX 5.3.7 IBM AIX 5.3 L IBM AIX 7.1 IBM AIX 6.2 IBM AIX 6.1 IBM AIX 5.3.12 IBM Aix 5.3.12 IBM AIX 5.3.11 IBM AIX 5.3 HP SSL for OpenVMS 1.4-453 HP SSL for OpenVMS 1.4 HP SSL for OpenVMS 1.3 HP HP-UX B.11.31 HP HP-UX B.11.11 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Collax Collax Business Server 5.5 Blue Coat Systems Proxysg 6.2 Blue Coat Systems Intelligence Center 3.2 Blue Coat Systems Intelligence Center 3.1 Balabit syslog-ng Premium Edition 4.0.1 Balabit syslog-ng Premium Edition 4.1.2a Balabit syslog-ng Premium Edition 4.1 Balabit syslog-ng Premium Edition 4.0.3b Balabit syslog-ng Premium Edition 4.0.1a Apple Mac Os X Server 10.7.4 Apple Mac Os X Server 10.7.3 Apple Mac Os X Server 10.7.1 Apple Mac Os X Server 10.7 Apple Mac Os X Server 10.6.8 Apple Mac Os X 10.7.4 Apple Mac Os X 10.7.3 Apple Mac Os X 10.7.2 Apple Mac Os X 10.7.1 |
| Not Vulnerable: |
OpenSSL Project OpenSSL 0.9.8w Collax Collax Business Server 5.5.2 |
Discussion
OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
OpenSSL is prone to a remote memory-corruption vulnerability because of integer-truncation errors. Specifically, the issue exists due to incomplete fix for CVE-2012-2110 (BID 53158 - OpenSSL Encoded ASN.1 Data Integer Truncation Memory Corruption Vulnerability).
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will result in a denial-of-service condition.
OpenSSL 0.9.8v is affected.
OpenSSL is prone to a remote memory-corruption vulnerability because of integer-truncation errors. Specifically, the issue exists due to incomplete fix for CVE-2012-2110 (BID 53158 - OpenSSL Encoded ASN.1 Data Integer Truncation Memory Corruption Vulnerability).
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will result in a denial-of-service condition.
OpenSSL 0.9.8v is affected.
Exploit / POC
OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
The researcher who found the issue has created a proof-of-concept. Please see the references for information.
The researcher who found the issue has created a proof-of-concept. Please see the references for information.
Solution / Fix
OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
Solution:
Updates are available. Please see the references for more information.
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
Solution:
Updates are available. Please see the references for more information.
Mandriva Linux Mandrake 2010.1 x86_64
-
Mandriva lib64openssl0.9.8-0.9.8w-0.1mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/downloads/
Mandriva Linux Mandrake 2010.1
-
Mandriva libopenssl0.9.8-0.9.8w-0.1mdv2010.2.i586.rpm
http://www.mandriva.com/en/downloads/
References
OpenSSL CVE-2012-2131 Encoded ASN.1 Data Incomplete Fix Memory Corruption Vulnerability
References:
References:
- Collax Business Server Homepage (collax)
- Collax Business Server Release Note (collax)
- OpenSSL Project (OpenSSL Project)
- SE51936 - SC1-SSH-INCORROUT VULNERABILITY CVE-2012-2110 (IBM)
- ASN1 BIO incomplete fix (CVE-2012-2131) (OpenSSL Project)