OpenSSL susceptible to DoS attacks

By N-Stalker Team on November 5, 2003

A security flaw was found on the OpenSSL library version 0.9.6k during a routine stress test. According to the advisory published by Novell Inc, the applications running on MS Windows(r) plataform dynamically or statically linked to that particular version is considered to be vulnerable to a Denial of Service attack.

A bug in OpenSSL 0.9.6 would cause certain ASN.1 sequences to trigger a large recursion. On platforms such as Windows this large recursion cannot be handled correctly and so the bug causes OpenSSL to crash. A remote attacker could exploit this flaw if they can send arbitrary ASN.1 sequences which would cause OpenSSL to crash. This could be performed for example by sending a client certificate to a SSL/TLS enabled server which is configured to accept them.

Customers must upgrade their installation to either version 0.9.6l or 0.9.7c. For more information regarding this subject, please, access the official OpenSSL project page at www.openssl.org.

This entry was posted in Previous Security Advisories. Bookmark the permalink.