Vulnerability in OpenSSL Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2016-158
Date(s) Issued: 
Monday, September 19, 2016
Date Updated: 
Monday, September 19, 2016
Subject: 
Vulnerability in OpenSSL Could Allow for Arbitrary Code Execution
Overview: 

A vulnerability has been discovered in OpenSSL which could allow for arbitrary code execution. OpenSSL is an open-source implementation of the SSL and TLS protocols used by a number of applications and products. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which ensure secure communication over the Internet via encryption. Successful exploitation could result in the attacker executing arbitrary code in the context of the user running the affected application. Failed exploit attempts will most likely result in denial-of-service conditions.

Systems Affected: 
  • OpenSSL versions prior to 1.1.0

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

OpenSSL is prone to a vulnerability which could allow for arbitrary code execution. The vulnerability is as follows:

 

  • OpenSSL is prone to an integer-overflow vulnerability because of an out-of-bound write error. Specifically, this issue affects the 'MDC2_Update()' function of 'crypto/mdc2/mdc2dgst.c' source file. 

 

Successful exploitation could result in the attacker executing arbitrary code in the context of the user running the affected application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Failed exploit attempts will likely result in denial-of-service conditions.  

Actions: 
  • After appropriate testing, apply patches provided by OpenSSL and/or applicable vendors to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Do not use the same OpenSSL private keys across multiple systems and update OpenSSL keys periodically.