CVE-2016-6309:
CVE-2016-6309: A use-after-free vulnerability in OpenSSL 1.1.0a’s statem/statem.c after a realloc can allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted TLS session.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Sep 26, 2016
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:45.1
- EPSS Percentile:98%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2016-6309: A use-after-free vulnerability in OpenSSL 1.1.0a’s statem/statem.c after a realloc can allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted TLS session.
Overview
This vulnerability concerns a memory-management flaw in OpenSSL 1.1.0a where memory blocks moved by realloc are not accounted for, resulting in a use-after-free condition. An attacker capable of initiating or manipulating TLS sessions could cause a denial of service or, potentially, run arbitrary code on the affected system. The flaw was publicly disclosed in 2016 and has since been mitigated by updates from OpenSSL and various vendors.
Remediation
- Upgrade OpenSSL to a fixed version released after the vulnerability was disclosed (apply the appropriate vendor advisories and OpenSSL patches).
- Deploy the updated OpenSSL library across all affected systems and restart services that rely on OpenSSL (web servers, application servers, load balancers, etc.).
- Rebuild applications linked against OpenSSL and verify that all components are using the patched library.
- Test TLS connections and related functionality in a staging environment before rolling to production.
- Review vendor advisories for any additional mitigations or configuration recommendations and apply them as guidance dictates.
References
- - Tenable Security Advisory TNS-2016-20. https://www.tenable.com/security/tns-2016-20
- - Oracle CPU January 2018 advisory. http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- - OpenSSL Security Advisory (2016-09-26). https://www.openssl.org/news/secadv/20160926.txt
- - HPE Security Bulletin. https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_us
- - IBM Security Notice. http://www-01.ibm.com/support/docview.wss?uid=swg21995039
- - SecurityTracker entry. http://www.securitytracker.com/id/1036885
- - Oracle CPU October 2016 advisory. http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- - Tenable Security Advisory TNS-2016-16. https://www.tenable.com/security/tns-2016-16
- - OpenSSL git commit (fix reference). https://git.openssl.org/?p=openssl.git;a=commit;h=acacbfa7565c78d2273c0b2a2e5e803f44afefeb
- - SecurityFocus BID 93177. http://www.securityfocus.com/bid/93177
- - Oracle CPU April 2018 advisory. http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- - Blue Coat Security Advisory SA132. https://bto.bluecoat.com/security-advisory/sa132
- - Oracle CPU July 2017 advisory. http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- - Juniper JSA10759 advisory. http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
