OpenSSL Denial of Service
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2016-005 | CVE-2016-6304 | 09/22/2016 | high | v1 |
Vulnerability details
A vulnerability in OpenSSL library has been disclosed. A mishandle of very large OCSP status request could lead to a denial of service.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Stormshield Network Security | medium | SNS uses a vulnerable version of OpenSSL |
| Stormshield Endpoint Security | high | SES uses a vulnerable version of OpenSSL |
| Fast360 | medium | Fast360 uses a vulnerable version of OpenSSL |
| Netasq | medium | Netasq uses a vulnerable version of OpenSSL |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 10/22/2016 | Initial release |
Stormshield Network Security |
CVSS v2 Overall Score: 6.8
|
Analysis |
Impacted version |
|
The OpenSSL library is vulnerable to a memory exhaustion vulnerability. This could lead an attacker to cause a denial of service of one of the services of the appliance. |
|
Workaround solution |
Solution |
|
There is no workaround solution. |
The 2.5.2 update will fix this vulnerability. The 1.6.1 update will fix this vulnerability. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | Low | None | None | None | Complete |
| CVSS Base score: 7.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| High | Official fix | Confirmed |
| CVSS Temporal score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| None | High [76-100%] |
| CVSS Environmental score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND) |
Stormshield Endpoint Security |
CVSS v2 Overall Score: 7.7
|
Analysis |
Impacted version |
|
The successful exploitation of this vulnerability could allow an attacker to cause a denial of service on the Stormshield Endpoint Security server (framework.exe process) as well as on the Apache server bundled with the Stormshield Endpoint Security server. The temporary unavailability of the framework.exe process running on a server may delay the processing of new logs and the application of a new security policy on agents. The temporary unavailability of the Apache server may delay the installation of new agents. Stormshield Endpoint Security is configured to automatically restart those processes in case of unexpected failure; the interruption of service is limited. |
|
Workaround solution |
Solution |
|
In order to limit the exploitability of this vulnerability, SES servers should be accessible only from the corporate network or through a VPN connection. |
The 6.0.26 and 7.2.12 updates fix this vulnerability. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | Low | None | None | None | Complete |
| CVSS Base score: 7.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| High | Official fix | Confirmed |
| CVSS Temporal score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| Low-Medium | High [76-100%] |
| CVSS Environmental score: 7.7 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C/CDP:LM/TD:H/CR:ND/IR:ND/AR:ND) |
Fast360 |
CVSS v2 Overall Score: 6.8
|
Analysis |
Impacted version |
|
The OpenSSL library is vulnerable to a memory exhaustion vulnerability. Fast360 appliance will detect such behavior and restart the faulting process. This could lead an attacker to cause a temporary denial of service of one of the services of the appliance |
|
Workaround solution |
Solution |
|
There is no workaround solution. |
The 5.0/37 and 6.0/11 updates will fix this vulnerability. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | Low | None | None | None | Complete |
| CVSS Base score: 7.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| High | Official fix | Confirmed |
| CVSS Temporal score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| None | High [76-100%] |
| CVSS Environmental score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND) |
Netasq |
CVSS v2 Overall Score: 6.8
|
Analysis |
Impacted version |
|
The OpenSSL library is vulnerable to a memory exhaustion vulnerability. This could lead an attacker to cause a denial of service of one of the services of the appliance. |
|
Workaround solution |
Solution |
|
There is no workaround solution. |
The 9.1.9 update will fix this vulnerability. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | Low | None | None | None | Complete |
| CVSS Base score: 7.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| High | Official fix | Confirmed |
| CVSS Temporal score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| None | High [76-100%] |
| CVSS Environmental score: 6.8 | CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND) |