Executive Summary

Summary
Title MatrixSSL contains multiple vulnerabilities
Informations
NameVU#396440First vendor Publication2016-10-11
VendorVU-CERTLast vendor Modification2016-10-14
Severity (Vendor) N/ARevisionM

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#396440

MatrixSSL contains multiple vulnerabilities

Original Release date: 11 Oct 2016 | Last revised: 14 Oct 2016

Overview

MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities.

Description

CWE-122: Heap-based Buffer Overflow - CVE-2016-6890

The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-6891

The ASN.1 Bit Field is not properly parsed. A specially crafted certificate may lead to a denial of service condition due to an out of bounds read in memory.

CWE-590: Free of Memory not on the Heap - CVE-2016-6892

The x509FreeExtensions() function does not properly parse X.509 certificates. A specially crafted certificate may cause a free operation on unallocated memory, resulting in a denial of service condition.

The CVSS score below describes CVE-2016-6890. For more information about these vulnerabilities, contact the vendor at support@matrixssl.com or refer to the vendor release notes and the researcher's blog.

Impact

By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack.

Solution

Apply an update

The vendor has released version 3.8.6 to address these issues. Developers of embedded devices using MatrixSSL should provide firmware updates implementing the fix. Users in general should update to the latest release.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
MatrixSSLAffected26 Aug 201611 Oct 2016
CoreOSNot Affected11 Oct 201613 Oct 2016
LenovoNot Affected11 Oct 201614 Oct 2016
ACCESSUnknown11 Oct 201611 Oct 2016
Alcatel-LucentUnknown11 Oct 201611 Oct 2016
AppleUnknown11 Oct 201611 Oct 2016
Arch LinuxUnknown11 Oct 201611 Oct 2016
Arista Networks, Inc.Unknown11 Oct 201611 Oct 2016
Aruba NetworksUnknown11 Oct 201611 Oct 2016
AT&TUnknown11 Oct 201611 Oct 2016
Avaya, Inc.Unknown11 Oct 201611 Oct 2016
Barracuda NetworksUnknown11 Oct 201611 Oct 2016
Belkin, Inc.Unknown11 Oct 201611 Oct 2016
Blue Coat SystemsUnknown11 Oct 201611 Oct 2016
Brocade Communication SystemsUnknown11 Oct 201611 Oct 2016
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base10.0AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal7.8E:POC/RL:OF/RC:C
Environmental5.9CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://github.com/matrixssl/matrixssl/blob/master/CHANGES.md
  • http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/flawed-matrixssl-code-highlights-need-for-better-iot-update-practices/
  • http://www.matrixssl.org/blog/releases/matrixssl_3_8_6
  • https://cwe.mitre.org/data/definitions/122.html
  • https://cwe.mitre.org/data/definitions/119.html
  • https://cwe.mitre.org/data/definitions/590.html

Credit

Thanks to Craig Young of Tripwire for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-6890CVE-2016-6891CVE-2016-6892
  • Date Public:10 Oct 2016
  • Date First Published:11 Oct 2016
  • Date Last Updated:14 Oct 2016
  • Document Revision:19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/396440

CWE : Common Weakness Enumeration

%idName
33 %CWE-416Use After Free
33 %CWE-125Out-of-bounds Read
33 %CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application6

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
DateInformations
2017-01-06 21:25:38
  • Multiple Updates
2017-01-06 05:25:38
  • Multiple Updates
2016-10-14 17:23:17
  • Multiple Updates
2016-10-13 17:22:56
  • Multiple Updates
2016-10-12 21:23:47
  • Multiple Updates
2016-10-11 21:22:10
  • First insertion