{"vuid":"VU#547300","idnumber":"547300","name":"OpenSSL SSL_get_shared_ciphers() vulnerable to buffer overflow","keywords":["OpenSSL","SSL_get_shared_ciphers() utility function","buffer overflow","openssl_secadv_20060928","apple-2006-007","oracle_cpu_jan_2007","OHS01"],"overview":"A buffer overflow vulnerability in an OpenSSL library function could allow a remote attacker to execute code on an affected system.","clean_desc":"The OpenSSL toolkit implements the Secure Sockets Layer (SSL versions 2 and 3) and Transport Layer Security (TLS version 1) protocols as well as a general purpose cryptographic library. The OpenSSL library includes a utility function, SSL_get_shared_ciphers(), to generate human readable strings from the list of shared ciphers supported on an SSL connection. A buffer overflow exists in this function's handling of the length of the list of shared ciphers. Any application using this function could expose the vulnerability, allowing an attacker to execute code with the privileges of that application. Note that although successful exploitation is believed to be difficult, it is still possible in some situations.","impact":"An attacker with the ability to supply a specially crafted list of ciphers could execute code in the context of an application using the vulnerable function.","resolution":"Upgrade or apply a patch from the vendor Patches have been released to address this issue. Please see the Systems Affected section of this document for more information. Users or redistributors who compile OpenSSL from the original source code distribution are encouraged to review OpenSSL Security Advisory [28th September 2006] and upgrade to the appropriate fixed version of the software.","workarounds":"","sysaffected":"","thanks":"Thanks to Tavis Ormandy and Will Drewry of the Google Security Team for reporting this vulnerability.","author":"This document was written by Chad R Dougherty.","public":["http://www.openssl.org/news/secadv_20060928.txt","http://jvn.jp/cert/JVNVU%23547300/index.html","http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html","https://issues.rpath.com/browse/RPL-613","http://www.openssl.org/news/secadv_20060928.txt","http://kolab.org/security/kolab-vendor-notice-11.txt","http://openvpn.net/changelog.html","http://www.serv-u.com/releasenotes/","http://openbsd.org/errata.html#openssl2","http://www.securityfocus.com/bid/20249","http://securitytracker.com/id?1016943","http://secunia.com/advisories/22130","http://secunia.com/advisories/22094","http://secunia.com/advisories/22165","http://secunia.com/advisories/22186","http://secunia.com/advisories/22193","http://secunia.com/advisories/22207","http://secunia.com/advisories/22259","http://secunia.com/advisories/22260","http://secunia.com/advisories/22166","http://secunia.com/advisories/22172","http://secunia.com/advisories/22212","http://secunia.com/advisories/22240","http://secunia.com/advisories/22216","http://secunia.com/advisories/22116","http://secunia.com/advisories/22220","http://secunia.com/advisories/22284","http://secunia.com/advisories/22330","http://xforce.iss.net/xforce/xfdb/29237","http://secunia.com/advisories/23280/","http://secunia.com/advisories/23309/","http://www.securityfocus.com/bid/22083","http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1"],"cveids":["CVE-2006-3738"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-09-05T18:20:58Z","publicdate":"2006-09-28T00:00:00Z","datefirstpublished":"2006-09-28T15:36:35Z","dateupdated":"2011-07-22T12:46:41Z","revision":40,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"5","cam_impact":"9","cam_easeofexploitation":"8","cam_attackeraccessrequired":"15","cam_scorecurrent":"2.53125","cam_scorecurrentwidelyknown":"3.0375","cam_scorecurrentwidelyknownexploited":"5.0625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":2.53125,"vulnote":null}