A vulnerability has been discovered in OpenSSL which could allow for arbitrary code execution. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation could result in the attacker executing arbitrary code in the context of the user running the affected application. Failed exploit attempts will most likely result in denial-of-service conditions.
OpenSSL versions prior to 1.1.0
OpenSSL is prone to a vulnerability which could allow for arbitrary code execution. The vulnerability is as follows:
OpenSSL is prone to an integer-overflow vulnerability because of an out-of-bound write error. Specifically, this issue affects the 'MDC2_Update()' function of 'crypto/mdc2/mdc2dgst.c' source file.
Successful exploitation could result in the attacker executing arbitrary code in the context of the user running the affected application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Failed exploit attempts will likely result in denial-of-service conditions.
After appropriate testing, apply patches provided by OpenSSL and/or applicable vendors to vulnerable systems.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Do not use the same OpenSSL private keys across multiple systems and update OpenSSL keys periodically.