OpenSSL ASN.1 BIO buffer overflow (CVE-2012-2110 and CVE-2012-2131)

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA70
Published Date: 
December 4, 2012
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2012-2110 – CVSS base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2012-2131 - CVSS base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

OpenSSL versions prior to 0.9.8v are vulnerable to buffer overflow attacks when presented with specially crafted DER data. The buffer overflow could result in remote code execution or a denial of service. Blue Coat products that make use of the vulnerable functions for processing untrusted DER data are vulnerable.

Affected Products: 

The following products are vulnerable:

BCAAA
BCAAA 5.5 and 6.1 may be vulnerable to all CVEs when configured to use the CoreID or the Novell SSO.

CacheFlow
CacheFlow 2.x and 3.x prior to 3.4.2.1 are vulnerable.

IntelligenceCenter
All versions of IntelligenceCenter are vulnerable:

ProxySG
All versions of ProxySG prior to 6.4 are vulnerable.                           

The following products are not vulnerable:

Director
Director does not use the OpenSSL functions that are vulnerable.

K9
K9 uses the on-platform TLS/SSL libraries.

PacketShaper/PacketWise/PolicyCenter
PacketShaper, PacketWise, and PolicyCenter do not use the OpenSSL functions that are vulnerable.

ProxyAV
ProxyAV does not use the OpenSSL functions that are vulnerable.

ProxyClient
ProxyClient uses the on-platform TLS/SSL libraries.

Reporter
Reporter does not use the OpenSSL functions that are vulnerable.  The commandline utility is used by the Administrator to import keypairs and certificates, but in this case the data is trusted.

Advisory Details: 

CVE-2012-2110 is a buffer overflow flaw in OpenSSL’s BIO and FILE based functions.  Using this vulnerability, a remote attacker can send specially crafted DER or MIME formatted data to an application to cause memory corruption or even to remotely execute code on the system.

CVE-2012-2131 is an integer signedness flaw in the fix issued for CVE-2012-2110.  Using this vulnerability, a remote attacker can send specially crafter DER formatted data to an application to conduct buffer overflow attacks and to cause a denial of service.

DER and MIME data formats are typically used to encode X.509 certificates and RSA public keys.  The initial vulnerability was demonstrated using these two mechanisms.

Workarounds: 

There are no workarounds.

Patches: 

BCAAA
BCAAA 6.1 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available.
BCAAA 5.5 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available.

CacheFlow
CacheFlow 3.x - a fix is available in 3.4.2.1.
CacheFlow 2.x - a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.

IntelligenceCenter
IntelligenceCenter 3.3 – a fix is available in 3.3.1.1.
IntelligenceCenter 3.2 – a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.
IntelligenceCenter 3.1 – a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.

ProxySG
ProxySG 6.3 – a fix is available in 6.3.5.1. 
ProxySG 6.2 – a fix is available in 6.2.10.1. 
ProxySG 6.1 – a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.
ProxySG 5.5 – a fix is available in 5.5.11.1.
ProxySG 5.4 – a fix is available in 5.4.12.5.
ProxySG 4.3 – a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.

Advisory History: 

2015-07-26 CacheFlow is vulnerable and fixes are available
2015-02-20 BCAAA may be vulnerable but not fixes will be provided
2015-01-27 Fixed in SGOS 5.5.11.1 and 5.4.12.5; fixes will not be provided for SGOS 4.3.x or 6.1.x.  Marked as Final.
2014-07-22 Updated status if fixes for IC
2013-01-08 Updated status of ProxySG 6.3 release
2012-12-12 Updated status of ProxySG 5.5 release
2012-12-10 Initial public release

Feedback