{"vuid":"VU#396440","idnumber":"396440","name":"MatrixSSL contains multiple vulnerabilities","keywords":["matrixssl","heap-based buffer overflow","out-of-bounds read","unallocated memory free"],"overview":"MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities.","clean_desc":"CWE-122: Heap-based Buffer Overflow - CVE-2016-6890 The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-6891 The ASN.1 Bit Field is not properly parsed. A specially crafted certificate may lead to a denial of service condition due to an out of bounds read in memory. CWE-590: Free of Memory not on the Heap - CVE-2016-6892 The x509FreeExtensions() function does not properly parse X.509 certificates. A specially crafted certificate may cause a free operation on unallocated memory, resulting in a denial of service condition. The CVSS score below describes CVE-2016-6890. For more information about these vulnerabilities, contact the vendor at support@matrixssl.com or refer to the vendor release notes and the researcher's blog.","impact":"By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack.","resolution":"Apply an update The vendor has released version 3.8.6 to address these issues. Developers of embedded devices using MatrixSSL should provide firmware updates implementing the fix. Users in general should update to the latest release.","workarounds":"","sysaffected":"","thanks":"Thanks to Craig Young of Tripwire for reporting these vulnerabilities.","author":"This document was written by Joel Land.","public":["https://github.com/matrixssl/matrixssl/blob/master/CHANGES.md","http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/flawed-matrixssl-code-highlights-need-for-better-iot-update-practices/","http://www.matrixssl.org/blog/releases/matrixssl_3_8_6","https://cwe.mitre.org/data/definitions/122.html","https://cwe.mitre.org/data/definitions/119.html","https://cwe.mitre.org/data/definitions/590.html"],"cveids":["CVE-2016-6890","CVE-2016-6891","CVE-2016-6892"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-08-26T12:13:51Z","publicdate":"2016-10-10T00:00:00Z","datefirstpublished":"2016-10-11T15:49:37Z","dateupdated":"2016-10-14T13:05:27Z","revision":20,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.8","cvss_environmentalscore":"5.86926702432","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}