Security Advisories

December 4, 2012 – OpenSSL ASN.1 BIO buffer overflow (CVE-2012-2110 and CVE-2012-2131)

Security Advisories ID:    SA70
Version:    4.0
Status:    Published
Published date:    12/04/2012
Updated:    01/08/2013
 

Advisory Status

Interim

Advisory Severity

High, CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE Number

CVE-2012-2110 – CVSS base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2012-2131 - CVSS base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Summary

OpenSSL versions prior to 0.9.8v are vulnerable to buffer overflow attacks when presented with specially crafted DER data. The buffer overflow could result in remote code execution or a denial of service. Blue Coat products that make use of the vulnerable functions for processing untrusted DER data are vulnerable.

Affected Products

The following products are vulnerable:

IntelligenceCenter

All versions of IntelligenceCenter are believed to be vulnerable.  Further investigation is still underway.

ProxySG

All versions of ProxySG prior to 6.4 are vulnerable.                           

The following products are not vulnerable:

Director

Director does not use the OpenSSL functions that are vulnerable.

K9

K9 uses the on-platform TLS/SSL libraries.

PacketShaper/PacketWise/PolicyCenter

PacketShaper, PacketWise, and PolicyCenter do not use the OpenSSL functions that are vulnerable.

ProxyAV

ProxyAV does not use the OpenSSL functions that are vulnerable.

ProxyClient

ProxyClient uses the on-platform TLS/SSL libraries.

Reporter

Reporter does not use the OpenSSL functions that are vulnerable.  The commandline utility is used by the Administrator to import keypairs and certificates, but in this case the data is trusted.

Details

CVE-2012-2110 is a buffer overflow flaw in OpenSSL’s BIO and FILE based functions.  Using this vulnerability, a remote attacker can send specially crafted DER or MIME formatted data to an application to cause memory corruption or even to remotely execute code on the system. 

CVE-2012-2131 is an integer signedness flaw in the fix issued for CVE-2012-2110.  Using this vulnerability, a remote attacker can send specially crafter DER formatted data to an application to conduct buffer overflow attacks and to cause a denial of service. 

DER and MIME data formats are typically used to encode X.509 certificates and RSA public keys.  The initial vulnerability was demonstrated using these two mechanisms.

Workarounds

There are no workarounds.

Patches

IntelligenceCenter

IntelligenceCenter 3.2 - a fix is not yet available.

IntelligenceCenter 3.1 - a fix is not yet available.

ProxySG

ProxySG 6.3 – a fix is available in 6.3.5.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/9063.

ProxySG 6.2 – a fix is available in 6.2.10.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/7375.

ProxySG 6.1 – a fix is not yet available

ProxySG 5.5 – a fix not yet available.

ProxySG 5.4 – a fix is not yet available.

ProxySG 4.3 – please upgrade to a later version.

Advisory History

2013-01-08 Updated status of ProxySG 6.3 release

2012-12-12 Updated status of ProxySG 5.5 release

2012-12-10 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question