|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200612-11] AMD64 x86 emulation base libraries: OpenSSL multiple vulnerabilities Vulnerability Scan
Vulnerability Scan Summary AMD64 x86 emulation base libraries: OpenSSL multiple vulnerabilities
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200612-11
(AMD64 x86 emulation base libraries: OpenSSL multiple vulnerabilities)
Tavis Ormandy and Will Drewry, both of the Google Security Team,
discovered that the SSL_get_shared_ciphers() function contains a buffer
overflow vulnerability, and that the SSLv2 client code contains a flaw
leading to a crash. Additionally, Dr. Stephen N. Henson found that the
ASN.1 handler contains two Denial of Service vulnerabilities: while
parsing an invalid ASN.1 structure and while handling certain types of
public key.
Impact
A possible hacker could trigger the buffer overflow by sending a malicious
suite of ciphers to an application using the vulnerable function, and
thus execute arbitrary code with the rights of the user running the
application. A possible hacker could also consume CPU and/or memory by
exploiting the Denial of Service vulnerabilities. Finally, a malicious
server could crash a SSLv2 client through the SSLv2 vulnerability.
Workaround
There is no known workaround at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
Solution:
All AMD64 x86 emulation base libraries users should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-baselibs-2.5.5"
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.
|