Bug 1367340 (CVE-2016-2182) - CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
Summary: CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2182
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1367343 1367344 1367345 1377623 1377624 1377625 1377626 1381805 1381806
Blocks: 1367347
TreeView+ depends on / blocked
 
Reported: 2016-08-16 08:54 UTC by Adam Mariš
Modified: 2021-02-17 03:26 UTC (History)
35 users (show)

Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:57:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2662211 0 None None None 2016-09-28 00:45:21 UTC
Red Hat Product Errata RHSA-2016:1940 0 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Product Errata RHSA-2018:2185 0 None None None 2018-07-12 16:16:26 UTC
Red Hat Product Errata RHSA-2018:2186 0 None None None 2018-07-12 16:14:26 UTC
Red Hat Product Errata RHSA-2018:2187 0 None None None 2018-07-12 16:05:07 UTC

Description Adam Mariš 2016-08-16 08:54:55 UTC 
An out-of-bounds write vulnerability was found to be caused by not checking errors in BN_bn2dec(). If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing.

Upstream patch:

https://git.openssl.org/?p=openssl.git;a=commit;h=07bed46f332fce8c1d157689a2cdf915a982ae34
Comment 1 Adam Mariš 2016-08-16 08:55:41 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1367345]
Comment 2 Adam Mariš 2016-08-16 08:55:53 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1367343]
Comment 3 Adam Mariš 2016-08-16 08:56:04 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1367344]
Comment 5 Tomas Hoger 2016-09-22 12:03:09 UTC 
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


OOB write in BN_bn2dec() (CVE-2016-2182)
========================================

Severity: Low

The function BN_bn2dec() does not check the return value of BN_div_word().
This can cause an OOB write if an application uses this function with an
overly large BIGNUM. This could be a problem if an overly large certificate
or CRL is printed out from an untrusted source. TLS is not affected because
record limits will reject an oversized certificate before it is parsed.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.


External References:

https://www.openssl.org/news/secadv/20160922.txt
Comment 6 Michael Englehorn 2016-09-23 14:25:32 UTC 
Why is this Severity: Low? The NIST NVD has it listed as High severity.

https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-2182&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Comment 7 Tomas Hoger 2016-09-23 20:35:40 UTC 
(In reply to Adam Mariš from comment #0)
> Upstream patch:
> 
> https://git.openssl.org/?p=openssl.git;a=commit;
> h=07bed46f332fce8c1d157689a2cdf915a982ae34

This additional commit is also needed to correctly fix this issue:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3612ff6fcec0e3d1f2a598135fe12177c0419582
Comment 9 errata-xmlrpc 2016-09-27 13:53:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
Comment 11 errata-xmlrpc 2018-07-12 16:04:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
Comment 12 errata-xmlrpc 2018-07-12 16:14:14 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
Comment 13 errata-xmlrpc 2018-07-12 16:16:12 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185
Note You need to log in before you can comment on or make changes to this bug.