SSL: OpenSSL SSL_get_shared_ciphers Function Off-by-one Buffer Overflow

There exits an off-by-one buffer overflow vulnerability in the OpenSSL library. The flaw is due to an off-by-one buffer check error in function "SSL_get_shared_ciphers()" . A remote attacker may exploit this vulnerability by sending a crafted list of ciphers to the affected server or an application that uses this function to inject and execute arbitrary code on the target system. In an attack case where code injection is not successful, the off-by-one byte buffer overflow may lead to overwriting of a local variable or return address which in turn may lead to data or memory access corruption. This could cause the termination of the server process. Note that the effect depends on the usage of the off-by-one byte in the specific application using this server function. In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the affected service.

Extended Description

OpenSSL is prone to an off-by-one buffer-overflow vulnerability because the library fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Successfully exploiting this issue may allow attackers to execute arbitrary machine code in the context of applications that use the affected library, but this has not been confirmed. Failed exploit attempts may crash applications, denying service to legitimate users. NOTE: This issue was introduced in the fix for the vulnerability described in BID 20249 (OpenSSL SSL_Get_Shared_Ciphers Buffer Overflow Vulnerability).

Affected Products

Nortel_networks self-service_media_processing_server,Vmware player

References

BugTraq: 25831

CVE: CVE-2007-5135

Short Name
SSL:OVERFLOW:CIPHERS-OBO
Severity
Major
Recommended
False
Recommended Action
Drop
Category
SSL
Keywords
Buffer CVE-2007-5135 Function Off-by-one OpenSSL Overflow SSL_get_shared_ciphers bid:25831
Release Date
10/18/2010
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3375
False Positive
Unknown
Vendors

Red_hat

Openbsd

Suse

Apple

Gentoo

Sun

Rpath

Turbolinux

Avaya

Freebsd

Ubuntu

Mandriva

Nortel_networks

Netbsd

Debian

Vmware

Openssl_project

CVSS Score

6.8

Found a potential security threat?