Vulnerability Note VU#547300

OpenSSL SSL_get_shared_ciphers() vulnerable to buffer overflow

Original Release date: 28 Sep 2006 | Last revised: 22 Jul 2011

Overview

A buffer overflow vulnerability in an OpenSSL library function could allow a remote attacker to execute code on an affected system.

Description

The OpenSSL toolkit implements the Secure Sockets Layer (SSL versions 2 and 3) and Transport Layer Security (TLS version 1) protocols as well as a general purpose cryptographic library. The OpenSSL library includes a utility function, SSL_get_shared_ciphers(), to generate human readable strings from the list of shared ciphers supported on an SSL connection. A buffer overflow exists in this function's handling of the length of the list of shared ciphers. Any application using this function could expose the vulnerability, allowing an attacker to execute code with the privileges of that application. Note that although successful exploitation is believed to be difficult, it is still possible in some situations.

Impact

An attacker with the ability to supply a specially crafted list of ciphers could execute code in the context of an application using the vulnerable function.

Solution

Upgrade or apply a patch from the vendor

Patches have been released to address this issue. Please see the Systems Affected section of this document for more information.

Users or redistributors who compile OpenSSL from the original source code distribution are encouraged to review OpenSSL Security Advisory [28th September 2006] and upgrade to the appropriate fixed version of the software.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected15 Sep 200602 Oct 2006
F5 Networks, Inc.Affected15 Sep 200621 Sep 2006
FreeBSD, Inc.Affected15 Sep 200628 Sep 2006
OpenPKGAffected-02 Oct 2006
OpenSSLAffected06 Sep 200628 Sep 2006
Oracle CorporationAffected-17 Jan 2007
Red Hat, Inc.Affected15 Sep 200602 Oct 2006
rPathAffected-02 Oct 2006
Slackware Linux Inc.Affected15 Sep 200602 Oct 2006
StonesoftAffected15 Sep 200629 Sep 2006
SUSE LinuxAffected15 Sep 200602 Oct 2006
Trustix Secure LinuxAffected15 Sep 200602 Oct 2006
UbuntuAffected15 Sep 200628 Sep 2006
Force10 Networks, Inc.Not Affected15 Sep 200622 Jul 2011
FujitsuNot Affected15 Sep 200629 Sep 2006
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tavis Ormandy and Will Drewry of the Google Security Team for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2006-3738
  • Date Public: 28 Sep 2006
  • Date First Published: 28 Sep 2006
  • Date Last Updated: 22 Jul 2011
  • Severity Metric: 2.53
  • Document Revision: 39

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.