CVSS v2 Base Score
The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
Find more about CVE-2015-1792 from MITRE CVE directory and NIST NVD
When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID.
This can be used to preform denial of service against any system which verifies signedData messages using the CMS code.
No FoxT product is affected by this vulnerability
Still have questions? We can help. Submit a case to Technical Support.