Last Updated: 2016-05-03 21:03:43 UTC
by Rick Wanner (Version: 3)
The OpenSSL updates pre-announced last week have dropped. The latest versions are 1.0.1t and 1.0.2h. These updates don't come with same level of urgency as some we have seen in the recent past, but these should are rated High. It is always a good idea to update your servers to the most up to date version of OpenSSL as soon as reasonable.
Their are a number of vulnerabilities that have been fixed in these releases.
CVE-2016-2108, High severity: It a ASN.1 encoding issue (CVE-2016-2108) that could cause an out of bounds write leading to memory corruption. This could be exploitable in some configurations.
CVE-2016-2107, High severity: A padding attack could be used to permit an attacker who is in a position to Man-in-the-Middle the session to decrypt traffic.
CVE-2016-2105,Low severity: This is a heap overflow resulting in heap corruption. The vulnerable function is internal to OpenSSL and is not believed to be exploitable.
CVE-2016-2106, Low severity: This appears to be the same function as CVE-2016-2105 and because it is only used internally to OpenSSL it is not believed to be exploitable.
CVE-2016-2109, Low severity: Is a resource exhaustion and/or memory exhaustion issue in the ASN.1 read. This is internal to OpenSSL and not believed to be exploitable.
CVE-2016-2176, Low severity: An ASN.1 overread could result in access to arbitrary stack information being returned. The release is not clear on exploitability.
There is no indication that there are exploits in the wild at this time.
UPDATE: There is now a PoC for CVE-2016-2107
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)