Vulnerabilities > CVE-2012-2131 - Numeric Errors vulnerability in Openssl 0.9.8V

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

openssl

CWE-189

nessus

exploit available

NVD

Published: 2012-04-24

Updated: 2018-01-05

Summary

Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110.

Vulnerable Configurations

Part	Description	Count
Application	Openssl Openssl Openssl 0.9.8V	1

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Exploit-Db

description	OpenSSL ASN1 BIO Memory Corruption Vulnerability. CVE-2012-2110,CVE-2012-2131. Dos exploits for multiple platform
file	exploits/multiple/dos/18756.txt
id	EDB-ID:18756
last seen	2016-02-02
modified	2012-04-19
platform	multiple
port
published	2012-04-19
reporter	Tavis Ormandy
source	https://www.exploit-db.com/download/18756/
title	OpenSSL ASN1 BIO Memory Corruption Vulnerability
type	dos

Nessus

NASL family	Misc.
NASL id	JUNOS_PULSE_JSA10591.NASL
description	According to its self-reported version, the version of IVE / UAC OS running on the remote host may be affected by multiple vulnerabilities : - Remote attackers may be able to trigger buffer overflow vulnerabilities on the OpenSSL libraries by sending specially crafted DER data, resulting in memory corruption. (CVE-2012-2131) - A weakness in the OpenSSL library leaves it vulnerable to an attack that could allow a third party to recover (fully or partially) the plaintext from encrypted traffic. (CVE-2013-0169) - A flaw in OCSP signature verification in the OpenSSL library allows remote OCSP servers to cause a denial of service condition with an invalid key. (CVE-2013-0166)
last seen	2020-06-01
modified	2020-06-02
plugin id	69987
published	2013-09-19
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/69987
title	Junos Pulse Secure IVE / UAC OS Multiple SSL Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(69987); script_version("2.10"); script_cvs_date("Date: 2018/07/12 19:01:15"); script_cve_id("CVE-2012-2131", "CVE-2013-0166", "CVE-2013-0169"); script_bugtraq_id(53212, 57778, 60268); script_name(english:"Junos Pulse Secure IVE / UAC OS Multiple SSL Vulnerabilities"); script_summary(english:"Checks IVE/UAC OS version"); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "According to its self-reported version, the version of IVE / UAC OS running on the remote host may be affected by multiple vulnerabilities : - Remote attackers may be able to trigger buffer overflow vulnerabilities on the OpenSSL libraries by sending specially crafted DER data, resulting in memory corruption. (CVE-2012-2131) - A weakness in the OpenSSL library leaves it vulnerable to an attack that could allow a third party to recover (fully or partially) the plaintext from encrypted traffic. (CVE-2013-0169) - A flaw in OCSP signature verification in the OpenSSL library allows remote OCSP servers to cause a denial of service condition with an invalid key. (CVE-2013-0166)" ); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10591"); script_set_attribute( attribute:"solution", value: "Upgrade to Juniper IVE/UAC OS version 7.1r15 / 7.2r11 / 7.3r6 / 7.4r3 / 4.1r8.1 / 4.2r5.1 / 4.3r6 / 4.4r3 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2013/09/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:ive_os"); script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:junos_pulse_access_control_service"); script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:junos_pulse_secure_access_service"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Juniper/IVE OS/Version", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit('Host/Juniper/IVE OS/Version'); match = eregmatch(string:version, pattern:"^([\d.]+)[Rr]([0-9.]+)"); if (isnull(match)) exit(1, 'Error parsing version: ' + version); release = match[1]; build = match[2]; # check report paranoia settings in order to avoid false positives, # since a workaround is possible, and only devices with SSL acceleration # cards are vulnerable if (report_paranoia < 2) audit(AUDIT_PARANOID); fix = ''; # IVE-SA if (release == '7.1' && ver_compare(ver:build, fix:'15', strict:FALSE) == -1) fix = '7.1r15'; if (release == '7.2' && ver_compare(ver:build, fix:'11', strict:FALSE) == -1) fix = '7.2r11'; if (release == '7.3' && ver_compare(ver:build, fix:'6', strict:FALSE) == -1) fix = '7.3r6'; if (release == '7.4' && ver_compare(ver:build, fix:'3', strict:FALSE) == -1) fix = '7.4r3'; # IVE-IC (UAC OS) if (release == '4.1' && ver_compare(ver:build, fix:'8.1', strict:FALSE) == -1) fix = '4.1r8.1'; if (release == '4.2' && ver_compare(ver:build, fix:'5.1', strict:FALSE) == -1) fix = '4.2r5.1'; if (release == '4.3' && ver_compare(ver:build, fix:'6', strict:FALSE) == -1) fix = '4.3r6'; if (release == '4.4' && ver_compare(ver:build, fix:'3', strict:FALSE) == -1) fix = '4.4r3'; if (fix != '') { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else audit(AUDIT_INST_VER_NOT_VULN, 'IVE/UAC OS', version);

NASL family	SuSE Local Security Checks
NASL id	SUSE_OPENSSL-8112.NASL
description	This update of openssl fixes an integer conversation issue which could cause a heap-based memory corruption. (CVE-2012-2110) Additionally, a check for negative buffer length values was added (CVE-2012-2131) and a memory leak when creating public keys fixed.
last seen	2020-06-05
modified	2012-05-23
plugin id	59237
published	2012-05-23
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59237
title	SuSE 10 Security Update : openssl (ZYPP Patch Number 8112)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2454.NASL
description	Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2012-0884 Ivan Nestlerode discovered a weakness in the CMS and PKCS #7 implementations that could allow an attacker to decrypt data via a Million Message Attack (MMA). - CVE-2012-1165 It was discovered that a NULL pointer could be dereferenced when parsing certain S/MIME messages, leading to denial of service. - CVE-2012-2110 Tavis Ormandy, Google Security Team, discovered a vulnerability in the way DER-encoded ASN.1 data is parsed that can result in a heap overflow. Additionally, the fix for CVE-2011-4619 has been updated to address an issue with SGC handshakes. Tomas Hoger, Red Hat, discovered that the fix for CVE-2012-2110 for the 0.9.8 series of OpenSSL was incomplete. It has been assigned the CVE-2012-2131 identifier.
last seen	2020-03-17
modified	2012-04-20
plugin id	58804
published	2012-04-20
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/58804
title	Debian DSA-2454-2 : openssl - multiple vulnerabilities

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-1428-1.NASL
description	It was discovered that the fix for CVE-2012-2110 was incomplete for OpenSSL 0.9.8. A remote attacker could trigger this flaw in services that used SSL to cause a denial of service or possibly execute arbitrary code with application privileges. Ubuntu 11.10 was not affected by this issue. (CVE-2012-2131) The original upstream fix for CVE-2012-2110 would cause BUF_MEM_grow_clean() to sometimes return the wrong error condition. This update fixes the problem. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	58873
published	2012-04-25
reporter	Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/58873
title	Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 : openssl vulnerability (USN-1428-1)

NASL family	Web Servers
NASL id	OPENSSL_0_9_8V.NASL
description	According to its banner, the remote web server is running a version of OpenSSL earlier than 0.9.8w. As such, the OpenSSL library itself is reportedly affected by a memory corruption vulnerability via an integer truncation error in the function
last seen	2020-06-01
modified	2020-06-02
plugin id	58799
published	2012-04-24
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/58799
title	OpenSSL < 0.9.8w ASN.1 asn1_d2i_read_bio Memory Corruption

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2012-064.NASL
description	It was discovered that the fix for CVE-2012-2110 (MDVSA-2012:060) was not sufficient to correct the issue for OpenSSL 0.9.8. The updated packages have been upgraded to the 0.9.8w version which is not vulnerable to this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	58865
published	2012-04-25
reporter	This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/58865
title	Mandriva Linux Security Advisory : openssl0.9.8 (MDVSA-2012:064)

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_10_8_4.NASL
description	The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.4. The newer version contains multiple security-related fixes for the following components : - CFNetwork - CoreAnimation - CoreMedia Playback - CUPS - Disk Management - OpenSSL - QuickDraw Manager - QuickTime - SMB
last seen	2020-06-01
modified	2020-06-02
plugin id	66808
published	2013-06-05
reporter	This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/66808
title	Mac OS X 10.8.x < 10.8.4 Multiple Vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_COMPAT-OPENSSL097G-120830.NASL
description	This compat-openssl097g rollup update contains various security fixes : - incorrect integer conversions in OpenSSL could have resulted in memory corruption during buffer management operations. (CVE-2012-2131 / CVE-2012-2110)
last seen	2020-06-05
modified	2013-01-25
plugin id	64120
published	2013-01-25
reporter	This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/64120
title	SuSE 11.2 Security Update : compat-openssl097g (SAT Patch Number 6749)

NASL family	Solaris Local Security Checks
NASL id	SOLARIS11_OPENSSL_20120626.NASL
description	The remote Solaris system is missing necessary patches to address security updates : - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. (CVE-2012-2110) - Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. (CVE-2012-2131)
last seen	2020-06-01
modified	2020-06-02
plugin id	80717
published	2015-01-19
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/80717
title	Oracle Solaris Third-Party Patch Update : openssl (multiple_vulnerabilities_in_openssl1)

NASL family	AIX Local Security Checks
NASL id	AIX_OPENSSL_ADVISORY4.NASL
description	The version of OpenSSL running on the remote host is affected by the following vulnerabilities : - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. (CVE-2012-0884) - The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. (CVE-2012-1165) - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. (CVE-2012-2110) - Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. (CVE-2012-2131) - Integer underflow in OpenSSL when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over- read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. (CVE-2012-2333)
last seen	2020-06-01
modified	2020-06-02
plugin id	73562
published	2014-04-16
reporter	This script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/73562
title	AIX OpenSSL Advisory : openssl_advisory4.asc

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_SECUPD2013-002.NASL
description	The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-002 applied. This update contains numerous security-related fixes for the following components : - CoreMedia Playback (10.7 only) - Directory Service (10.6 only) - OpenSSL - QuickDraw Manager - QuickTime - Ruby (10.6 only) - SMB (10.7 only)
last seen	2020-06-01
modified	2020-06-02
plugin id	66809
published	2013-06-05
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/66809
title	Mac OS X Multiple Vulnerabilities (Security Update 2013-002)

NASL family	SuSE Local Security Checks
NASL id	SUSE_COMPAT-OPENSSL097G-8262.NASL
description	This compat-openssl097g rollup update contains various security fixes : - incorrect integer conversions in OpenSSL could have resulted in memory corruption during buffer management operations. (CVE-2012-2131 / CVE-2012-2110)
last seen	2020-06-05
modified	2012-09-12
plugin id	62060
published	2012-09-12
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/62060
title	SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 8262)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_LIBOPENSSL-DEVEL-120503.NASL
description	This update of openssl fixes an integer conversation issue which could cause a heap-based memory corruption. (CVE-2012-2110) Additionally, a check for negative buffer length values was added (CVE-2012-2131) and the stack made non-executable by marking the enhanced Intel SSSE3 assembler code as not needing executable stack.
last seen	2020-06-05
modified	2013-01-25
plugin id	64184
published	2013-01-25
reporter	This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/64184
title	SuSE 11.1 Security Update : openssl (SAT Patch Number 6245)

NASL family	Junos Local Security Checks
NASL id	JUNIPER_PSN-2012-07-645.NASL
description	According to its self-reported version number, the remote Junos router is using an outdated version of OpenSSL. Parsing malformed ASN.1 encoded data can result in memory corruption. This vulnerability can be triggered by attempting to parse untrusted data (e.g., an X.509 certificate).
last seen	2020-06-01
modified	2020-06-02
plugin id	59989
published	2012-07-17
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/59989
title	Juniper Junos OpenSSL ASN.1 Memory Corruption (PSN-2012-07-645)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Nessus

References