Detections
Analytics
SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10481)
high Nessus Plugin ID 81996
Language:
Synopsis
The remote SuSE 11 host is missing one or more security updates.Description
OpenSSL has been updated to fix various security issues :- A Use After Free following d2i_ECPrivatekey error was fixed which could lead to crashes for attacker supplied Elliptic Curve keys. This could be exploited over SSL connections with client supplied keys. (CVE-2015-0209)
- A segmentation fault in ASN1_TYPE_cmp was fixed that could be exploited by attackers when e.g. client authentication is used. This could be exploited over SSL connections. (CVE-2015-0286)
- A ASN.1 structure reuse memory corruption was fixed.
This problem can not be exploited over regular SSL connections, only if specific client programs use specific ASN.1 routines. (CVE-2015-0287)
- A X509_to_X509_REQ NULL pointer dereference was fixed, which could lead to crashes. This function is not commonly used, and not reachable over SSL methods.
(CVE-2015-0288)
- Several PKCS7 NULL pointer dereferences were fixed, which could lead to crashes of programs using the PKCS7 APIs. The SSL apis do not use those by default.
(CVE-2015-0289)
- Various issues in base64 decoding were fixed, which could lead to crashes with memory corruption, for instance by using attacker supplied PEM data.
(CVE-2015-0292)
- Denial of service via reachable assert in SSLv2 servers, could be used by remote attackers to terminate the server process. Note that this requires SSLv2 being allowed, which is not the default. (CVE-2015-0293)
- A memory leak in the TLS hostname extension was fixed, which could be used by remote attackers to run SSL services out of memory. (CVE-2009-5146)
Solution
Apply SAT patch number 10481.See Also
https://bugzilla.novell.com/show_bug.cgi?id=915976
https://bugzilla.novell.com/show_bug.cgi?id=919648
https://bugzilla.novell.com/show_bug.cgi?id=920236
https://bugzilla.novell.com/show_bug.cgi?id=922488
https://bugzilla.novell.com/show_bug.cgi?id=922496
https://bugzilla.novell.com/show_bug.cgi?id=922499
https://bugzilla.novell.com/show_bug.cgi?id=922500
https://bugzilla.novell.com/show_bug.cgi?id=922501
http://support.novell.com/security/cve/CVE-2009-5146.html
http://support.novell.com/security/cve/CVE-2015-0209.html
http://support.novell.com/security/cve/CVE-2015-0286.html
http://support.novell.com/security/cve/CVE-2015-0287.html
http://support.novell.com/security/cve/CVE-2015-0288.html
http://support.novell.com/security/cve/CVE-2015-0289.html
Plugin Details
Severity: High
ID: 81996
File Name: suse_11_libopenssl-devel-150317.nasl
Version: 1.7
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 3/23/2015
Updated: 1/6/2021
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-hmac, p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-hmac-32bit, p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8-32bit, p-cpe:/a:novell:suse_linux:11:libopenssl0_9_8, p-cpe:/a:novell:suse_linux:11:openssl, p-cpe:/a:novell:suse_linux:11:openssl-doc, cpe:/o:novell:suse_linux:11
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Patch Publication Date: 3/17/2015
Reference Information
CVE: CVE-2009-5146, CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293