search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MatrixSSL contains multiple vulnerabilities

Vulnerability Note VU#396440

Original Release Date: 2016-10-11 | Last Revised: 2016-10-14

Overview

MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities.

Description

CWE-122: Heap-based Buffer Overflow - CVE-2016-6890

The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-6891

The ASN.1 Bit Field is not properly parsed. A specially crafted certificate may lead to a denial of service condition due to an out of bounds read in memory.

CWE-590: Free of Memory not on the Heap - CVE-2016-6892

The x509FreeExtensions() function does not properly parse X.509 certificates. A specially crafted certificate may cause a free operation on unallocated memory, resulting in a denial of service condition.

The CVSS score below describes CVE-2016-6890. For more information about these vulnerabilities, contact the vendor at support@matrixssl.com or refer to the vendor release notes and the researcher's blog.

Impact

By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack.

Solution

Apply an update

The vendor has released version 3.8.6 to address these issues. Developers of embedded devices using MatrixSSL should provide firmware updates implementing the fix. Users in general should update to the latest release.

Vendor Information

396440
 
Affected   Unknown   Unaffected

MatrixSSL

Notified:  August 26, 2016 Updated:  October 11, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

MatrixSSL versions 3.8.5 and earlier are affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CoreOS

Notified:  October 11, 2016 Updated:  October 13, 2016

Statement Date:   October 11, 2016

Status

  Not Affected

Vendor Statement

CoreOS Linux is not affected by this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo

Notified:  October 11, 2016 Updated:  October 14, 2016

Statement Date:   October 13, 2016

Status

  Not Affected

Vendor Statement

Lenovo is not affected by this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arista Networks, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aruba Networks

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Barracuda Networks

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blue Coat Systems

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Brocade Communication Systems

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CMX Systems

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Contiki OS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Debian GNU/Linux

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EfficientIP SAS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

European Registry for Internet Domains

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fortinet, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Foundry Brocade

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GNU adns

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GNU glibc

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hardened BSD

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

JH Software

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Lynx Software Technologies

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microchip Technology

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NLnet Labs

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nominum

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenDNS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oryx Embedded

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PC-BSD

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PowerDNS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Q1 Labs

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Quadros Systems

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Red Hat, Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Rocket RTOS

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Secure64 Software Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TCPWave

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Tizen

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubuntu

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

WizNET Technology

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Xilinx

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Zephyr Project

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ZyXEL

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

dnsmasq

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

gdnsd

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  October 11, 2016 Updated:  October 11, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Craig Young of Tripwire for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2016-6890, CVE-2016-6891, CVE-2016-6892
Date Public: 2016-10-10
Date First Published: 2016-10-11
Date Last Updated: 2016-10-14 13:05 UTC
Document Revision: 19

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.