Bug 1367340 (CVE-2016-2182) - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
Summary: CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_b...
Status: CLOSED ERRATA
Alias: CVE-2016-2182
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160816,repor...
Keywords: Security
Depends On: 1381805 1381806 1367343 1367344 1367345 1377623 1377624 1377625 1377626
Blocks: 1367347
TreeView+ depends on / blocked
 
Reported: 2016-08-16 08:54 UTC by Adam Mariš
Modified: 2019-06-11 11:13 UTC (History)
35 users (show)

(edit)
An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:57:28 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1940 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Knowledge Base (Solution) 2662211 None None None 2016-09-28 00:45 UTC
Red Hat Product Errata RHSA-2018:2185 None None None 2018-07-12 16:16 UTC
Red Hat Product Errata RHSA-2018:2186 None None None 2018-07-12 16:14 UTC
Red Hat Product Errata RHSA-2018:2187 None None None 2018-07-12 16:05 UTC

Description Adam Mariš 2016-08-16 08:54:55 UTC
An out-of-bounds write vulnerability was found to be caused by not checking errors in BN_bn2dec(). If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing.

Upstream patch:

https://git.openssl.org/?p=openssl.git;a=commit;h=07bed46f332fce8c1d157689a2cdf915a982ae34

Comment 1 Adam Mariš 2016-08-16 08:55:41 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1367345]

Comment 2 Adam Mariš 2016-08-16 08:55:53 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1367343]

Comment 3 Adam Mariš 2016-08-16 08:56:04 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1367344]

Comment 5 Tomas Hoger 2016-09-22 12:03:09 UTC
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


OOB write in BN_bn2dec() (CVE-2016-2182)
========================================

Severity: Low

The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt

Comment 6 Michael Englehorn 2016-09-23 14:25:32 UTC
Why is this Severity: Low? The NIST NVD has it listed as High severity.

https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-2182&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P)

Comment 7 Tomas Hoger 2016-09-23 20:35:40 UTC
(In reply to Adam Mariš from comment #0)
> Upstream patch:
> 
> https://git.openssl.org/?p=openssl.git;a=commit;
> h=07bed46f332fce8c1d157689a2cdf915a982ae34

This additional commit is also needed to correctly fix this issue:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3612ff6fcec0e3d1f2a598135fe12177c0419582

Comment 9 errata-xmlrpc 2016-09-27 13:53:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html

Comment 11 errata-xmlrpc 2018-07-12 16:04:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187

Comment 12 errata-xmlrpc 2018-07-12 16:14:14 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186

Comment 13 errata-xmlrpc 2018-07-12 16:16:12 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185


Note You need to log in before you can comment on or make changes to this bug.