Advisory ID

11575

Release date

2015-07-06

Last Updated

2015-07-06

Issue Severity

N/A

Source

Source

US-CERT/NIST

Release date

2015-06-12

CVSS v2 Base Score

5.0 (MEDIUM)

Problem Description

The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.

Find more about CVE-2015-1792 from MITRE CVE directory and NIST NVD

Impact

When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID.

This can be used to preform denial of service against any system which verifies signedData messages using the CMS code.

Affected Products

No FoxT product is affected by this vulnerability



Workaround

N/A

Obtaining Fixed Software

N/A

External References

OpenSSL Security advisory








Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018