Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

OpenSSL Updates

Published: 2016-05-03
Last Updated: 2016-05-03 15:47:05 UTC
by Rick Wanner (Version: 2)
0 comment(s)

The OpenSSL updates pre-announced last week have dropped. The latest versions are 1.0.1t and 1.0.2h.  These updates don't come with same level of urgency as some we have seen in the recent past, but these should are rated High. It is always a good idea to update your servers to the most up to date version of OpenSSL as soon as reasonable.

Their are a number of vulnerabilities that have been fixed in these releases.

CVE-2016-2108, High severity: It a ASN.1 encoding issue (CVE-2016-2108) that could cause an out of bounds write leading to memory corruption.  This could be exploitable in some configurations.

CVE-2016-2107, High severity: A padding attack could be used to permit an attacker who is in a position to Man-in-the-Middle the session to decrypt traffic. 

CVE-2016-2105,Low severity: This is a heap overflow resulting in heap corruption. The vulnerable function is internal to OpenSSL and is not believed to be exploitable. 

CVE-2016-2106, Low severity: This appears to be the same function as CVE-2016-2105 and because it is only used internally to OpenSSL it is not believed to be exploitable.

CVE-2016-2109, Low severity: Is a resource exhaustion and/or memory exhaustion issue in the ASN.1 read. This is internal to OpenSSL and not believed to be exploitable.

CVE-2016-2176, Low severity: An ASN.1 overread could result in access to arbitrary stack information being returned. The release is not clear on exploitability.

There is no indication that there are exploits in the wild at this time.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

Keywords: OpenSSL
0 comment(s)
ISC Stormcast For Tuesday, May 3rd 2016
Reminder: OpenSSL releases later today!

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Lean Threat Intelligence
22 hours ago by Rick (0 comments)

Fake Chrome update for Android
1 day ago by Rick (0 comments)

New release of PCI DSS (version 3.2) is available
4 days ago by Mark (1 comment)

DNS and DHCP Recon using Powershell
5 days ago by Rob VandenBrink (3 comments)

Kippos Cousin Cowrie
6 days ago by Tom (0 comments)

An Introduction to Mac memory forensics
6 days ago by Basil (0 comments)

View All Diaries →

Latest Discussions

Issue wit RSS Feed?
created 1 week ago by Matt M. (0 replies)

Privesc on Windows Server 2008 R2 Datacenter x64
created 2 weeks ago by Shaf (4 replies)

Government access to hosted data.
created 2 weeks ago by Anonymous (0 replies)

Cyber Hunt - Hawaii
created 2 weeks ago by MGiese (0 replies)

Top ten rising ports
created 3 weeks ago by Kim (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
2 months ago by Dr. J. (24 comments)

CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo
2 months ago by Dr. J. (9 comments)

March 2016 Microsoft Patch Tuesday
1 month ago by Alex Stanford (22 comments)

Getting Ready for Badlock
1 month ago by Dr. J. (5 comments)

What to watch with your FIM?
1 month ago by Xme (4 comments)