Vulnerability in openssl’s CipherUpdate functions (CVE-2021-23840)

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2021-002 CVE-2021-23840 02/17/2021 low v1

Vulnerability details

A bug in OpenSSL’s CipherUpdate functions could lead, in some cases, to an integer overflow, causing applications to behave incorrectly or crash. (CVE-2021-23840)

Impacted products

ProductsSeverityDetail
Stormshield Network Security low SNS is impacted
Netasq low Netasq is impacted

Revisions

Version Date Description
v1  17/02/2021 Initial release
v2 11/03/2021 Updated impacted versions

 



Stormshield Network Security

CVSS v3.1 Overall Score: 3.3      

Analysis

Impacted version

SNS components supporting SSL interfaces and making use of OpenSSL are vulnerable and could be subject to misbehaviors or crashes.

 
  • SNS 2.0.0 to 2.7.8
  • SNS 3.0.0 to 3.7.18
  • SNS 3.8.0 to 3.11.6
  • SNS 4.0.0 to 4.1.5

Workaround solution

Solution

There is no workaround solution.

The 2.7.9, 3.7.19, 3.11.7, 4.1.6 and 4.2.1 update fix this vulnerability.



Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local High None None Unchanged Low Low Low
CVSS Base score: 4.9 CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Official fix Reasonable
CVSS Temporal score: 4.1 CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:R)
Confidentiality Requirement Integrity Requirement Availability Requirement
Low Low Medium
CVSS Environmental score: 3.3 CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)


Netasq

CVSS v3.1 Overall Score: 3.3      

Analysis

Impacted version

Netasq components supporting SSL interfaces and making use of OpenSSL are vulnerable and could be subject to misbehaviors or crashes.
  • Netasq 9.1.0 to 9.1.11

Workaround solution

Solution

There is no workaround.

There is no solution.



Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local High None None Unchanged Low Low Low
CVSS Base score: 4.9 CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploit Code Maturity Remediation Level Report Confidence
Unproven that exploit exists Official fix Reasonable
CVSS Temporal score: 4.1 CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:R)
Confidentiality Requirement Integrity Requirement Availability Requirement
Low Low Medium
CVSS Environmental score: 3.3 CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)