search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MatrixSSL contains multiple vulnerabilities

Vulnerability Note VU#396440

Original Release Date: 2016-10-11 | Last Revised: 2016-10-14

Overview

MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities.

Description

CWE-122: Heap-based Buffer Overflow - CVE-2016-6890

The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-6891

The ASN.1 Bit Field is not properly parsed. A specially crafted certificate may lead to a denial of service condition due to an out of bounds read in memory.

CWE-590: Free of Memory not on the Heap - CVE-2016-6892

The x509FreeExtensions() function does not properly parse X.509 certificates. A specially crafted certificate may cause a free operation on unallocated memory, resulting in a denial of service condition.

The CVSS score below describes CVE-2016-6890. For more information about these vulnerabilities, contact the vendor at support@matrixssl.com or refer to the vendor release notes and the researcher's blog.

Impact

By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack.

Solution

Apply an update

The vendor has released version 3.8.6 to address these issues. Developers of embedded devices using MatrixSSL should provide firmware updates implementing the fix. Users in general should update to the latest release.

Vendor Information

396440
 
Affected   Unknown   Unaffected

MatrixSSL

Notified:  August 26, 2016 Updated:  October 11, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

MatrixSSL versions 3.8.5 and earlier are affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CoreOS

Notified:  October 11, 2016 Updated:  October 13, 2016

Statement Date:   October 11, 2016

Status

  Not Affected

Vendor Statement

CoreOS Linux is not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo

Notified:  October 11, 2016 Updated:  October 14, 2016

Statement Date:   October 13, 2016

Status

  Not Affected

Vendor Statement

Lenovo is not affected by this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  October 11, 2016 Updated:  October 11, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  October 11, 2016 Updated:  October 11, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  October 11, 2016 Updated:  October 11, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arch Linux

          Notified:  October 11, 2016 Updated:  October 11, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Arista Networks, Inc.

            Notified:  October 11, 2016 Updated:  October 11, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Aruba Networks

              Notified:  October 11, 2016 Updated:  October 11, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Avaya, Inc.

                Notified:  October 11, 2016 Updated:  October 11, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Barracuda Networks

                  Notified:  October 11, 2016 Updated:  October 11, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Belkin, Inc.

                    Notified:  October 11, 2016 Updated:  October 11, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Blue Coat Systems

                      Notified:  October 11, 2016 Updated:  October 11, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Brocade Communication Systems

                        Notified:  October 11, 2016 Updated:  October 11, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          CA Technologies

                          Notified:  October 11, 2016 Updated:  October 11, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            CMX Systems

                            Notified:  October 11, 2016 Updated:  October 11, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              CentOS

                              Notified:  October 11, 2016 Updated:  October 11, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Check Point Software Technologies

                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Cisco

                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Contiki OS

                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      D-Link Systems, Inc.

                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Debian GNU/Linux

                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          DesktopBSD

                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            DragonFly BSD Project

                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              EMC Corporation

                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                EfficientIP SAS

                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Enterasys Networks

                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Ericsson

                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      European Registry for Internet Domains

                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Extreme Networks

                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          F5 Networks, Inc.

                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Fedora Project

                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Force10 Networks

                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Fortinet, Inc.

                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Foundry Brocade

                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    FreeBSD Project

                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      GNU adns

                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        GNU glibc

                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Gentoo Linux

                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Google

                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Hardened BSD

                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Hewlett Packard Enterprise

                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Hitachi

                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Huawei Technologies

                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      IBM Corporation

                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Infoblox

                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Intel Corporation

                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Internet Systems Consortium

                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Internet Systems Consortium - DHCP

                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                JH Software

                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Juniper Networks

                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Lynx Software Technologies

                                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      McAfee

                                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Microchip Technology

                                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Microsoft Corporation

                                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            NEC Corporation

                                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              NLnet Labs

                                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                NetBSD

                                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Nokia

                                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Nominum

                                                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      OmniTI

                                                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        OpenBSD

                                                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          OpenDNS

                                                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Openwall GNU/*/Linux

                                                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Oracle Corporation

                                                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Oryx Embedded

                                                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  PC-BSD

                                                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Peplink

                                                                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      PowerDNS

                                                                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Q1 Labs

                                                                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          QNX Software Systems Inc.

                                                                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Quadros Systems

                                                                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              Red Hat, Inc.

                                                                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                Rocket RTOS

                                                                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  SUSE Linux

                                                                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    SafeNet

                                                                                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      Secure64 Software Corporation

                                                                                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        Slackware Linux Inc.

                                                                                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          SmoothWall

                                                                                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            Snort

                                                                                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              Sony Corporation

                                                                                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                Sourcefire

                                                                                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                Status

                                                                                                                                                                  Unknown

                                                                                                                                                                Vendor Statement

                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                Vendor References

                                                                                                                                                                  Symantec

                                                                                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                  Status

                                                                                                                                                                    Unknown

                                                                                                                                                                  Vendor Statement

                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                  Vendor References

                                                                                                                                                                    TCPWave

                                                                                                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                    Status

                                                                                                                                                                      Unknown

                                                                                                                                                                    Vendor Statement

                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                    Vendor References

                                                                                                                                                                      TippingPoint Technologies Inc.

                                                                                                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                      Status

                                                                                                                                                                        Unknown

                                                                                                                                                                      Vendor Statement

                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                      Vendor References

                                                                                                                                                                        Tizen

                                                                                                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                        Status

                                                                                                                                                                          Unknown

                                                                                                                                                                        Vendor Statement

                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                        Vendor References

                                                                                                                                                                          Turbolinux

                                                                                                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                          Status

                                                                                                                                                                            Unknown

                                                                                                                                                                          Vendor Statement

                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                          Vendor References

                                                                                                                                                                            Ubuntu

                                                                                                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                            Status

                                                                                                                                                                              Unknown

                                                                                                                                                                            Vendor Statement

                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                            Vendor References

                                                                                                                                                                              Unisys

                                                                                                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                              Status

                                                                                                                                                                                Unknown

                                                                                                                                                                              Vendor Statement

                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                              Vendor References

                                                                                                                                                                                VMware

                                                                                                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                Status

                                                                                                                                                                                  Unknown

                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                Vendor References

                                                                                                                                                                                  Wind River

                                                                                                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                  Status

                                                                                                                                                                                    Unknown

                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                  Vendor References

                                                                                                                                                                                    WizNET Technology

                                                                                                                                                                                    Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                    Status

                                                                                                                                                                                      Unknown

                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                    Vendor References

                                                                                                                                                                                      Xilinx

                                                                                                                                                                                      Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                      Status

                                                                                                                                                                                        Unknown

                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                      Vendor References

                                                                                                                                                                                        Zephyr Project

                                                                                                                                                                                        Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                        Status

                                                                                                                                                                                          Unknown

                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                        Vendor References

                                                                                                                                                                                          ZyXEL

                                                                                                                                                                                          Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                          Status

                                                                                                                                                                                            Unknown

                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                          Vendor References

                                                                                                                                                                                            dnsmasq

                                                                                                                                                                                            Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                            Status

                                                                                                                                                                                              Unknown

                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                            Vendor References

                                                                                                                                                                                              gdnsd

                                                                                                                                                                                              Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                              Status

                                                                                                                                                                                                Unknown

                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                m0n0wall

                                                                                                                                                                                                Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                                Status

                                                                                                                                                                                                  Unknown

                                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                Vendor References

                                                                                                                                                                                                  openSUSE project

                                                                                                                                                                                                  Notified:  October 11, 2016 Updated:  October 11, 2016

                                                                                                                                                                                                  Status

                                                                                                                                                                                                    Unknown

                                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                  Vendor References

                                                                                                                                                                                                    View all 100 vendors View less vendors


                                                                                                                                                                                                    CVSS Metrics

                                                                                                                                                                                                    Group Score Vector
                                                                                                                                                                                                    Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
                                                                                                                                                                                                    Temporal 7.8 E:POC/RL:OF/RC:C
                                                                                                                                                                                                    Environmental 5.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                                                                                                                                                                    References

                                                                                                                                                                                                    Acknowledgements

                                                                                                                                                                                                    Thanks to Craig Young of Tripwire for reporting these vulnerabilities.

                                                                                                                                                                                                    This document was written by Joel Land.

                                                                                                                                                                                                    Other Information

                                                                                                                                                                                                    CVE IDs: CVE-2016-6890, CVE-2016-6891, CVE-2016-6892
                                                                                                                                                                                                    Date Public: 2016-10-10
                                                                                                                                                                                                    Date First Published: 2016-10-11
                                                                                                                                                                                                    Date Last Updated: 2016-10-14 13:05 UTC
                                                                                                                                                                                                    Document Revision: 19

                                                                                                                                                                                                    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.