Vigil@nce - OpenSSL: use after free via NewSessionTicket
August 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who own a malicious TLS server, can send the
NewSessionTicket message, to force the usage of a freed memory
area in a client linked to OpenSSL, in order to trigger a denial
of service, and possibly to execute code.
Impacted products: Cisco ASR, Cisco ATA, AnyConnect VPN Client,
Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco
ESA, IOS Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort
Encryption, Cisco Nexus, NX-OS, Cisco Prime, Cisco Router, Secure
ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified
CCX, Cisco IP Phone, Cisco Unified Meeting Place, Cisco Wireless
IP Phone, Cisco Unity, Cisco WSA, Debian, BIG-IP Hardware, TMOS,
Fedora, FileZilla Server, FreeBSD, AIX, IRAD, Junos Pulse, McAfee
Email and Web Security, McAfee Email Gateway, McAfee Web Gateway,
OpenSSL, openSUSE, Solaris, pfSense, Puppet, RHEL, Slackware, SUSE
Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***,
Ubuntu
Severity: 2/4
Creation date: 04/06/2015
DESCRIPTION OF THE VULNERABILITY
The TLS protocol uses the NewSessionTicket message to obtain a new
session ticket (RFC 5077).
The ssl3_get_new_session_ticket() function of the ssl/s3_clnt.c
file implements NewSessionTicket in an OpenSSL client. However, if
the client is multi-threaded, this function frees a memory area
before reusing it.
An attacker, who own a malicious TLS server, can therefore send
the NewSessionTicket message, to force the usage of a freed memory
area in a client linked to OpenSSL, in order to trigger a denial
of service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-use-after-free-via-NewSessionTicket-17062