Vigil@nce - OpenSSL: data injection via OPENSSL_NO_BUF_FREELIST
April 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can establish a connection with a multi-thread
application linked to OpenSSL with OPENSSL_NO_BUF_FREELIST, in
order to potentially inject data in the session of another user.
Impacted products: OpenBSD, OpenSSL
Severity: 1/4
Creation date: 14/04/2014
DESCRIPTION OF THE VULNERABILITY
The OpenSSL product uses a proprietary implementation of malloc to
manage its memory.
However, when this feature is disabled with
OPENSSL_NO_BUF_FREELIST, a memory area is not freed, and the
ssl3_setup_read_buffer() function can, in multi-thread mode, reuse
data from another SSL session.
An attacker can therefore establish a connection with a
multi-threaded application linked to OpenSSL with
OPENSSL_NO_BUF_FREELIST, in order to potentially inject data in
the session of another user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-data-injection-via-OPENSSL-NO-BUF-FREELIST-14585