The Common Vulnerabilities and Exposures (CVE) IDs and names of the vulnerabilities that were disclosed on November 10, 2016, in the OpenSSL Software Foundation security advisory are as follows:CVE-2016-7053: OpenSSL CMS Null Dereference Vulnerability
CVE-2016-7054: OpenSSL ChaCha20/Poly1305 Heap Buffer Overflow Vulnerability
CVE-2016-7055: OpenSSL Montgomery Multiplication May Produce Incorrect Results Vulnerability
OpenSSL CMS Null Dereference VulnerabilityA vulnerability in the code that handles ASN.1 CHOICE type in OpenSSL 1.1.0 could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings.

An attacker could exploit this vulnerability by submitting crafted input to be processed by the affected software.

A successful exploit could allow an attacker to cause the application to stop functioning properly, leading to a DoS condition.This vulnerability has been assigned the following CVE ID: CVE-2016-7053OpenSSL ChaCha20/Poly1305 Heap Buffer Overflow VulnerabilityA vulnerability in the *-CHACHA20-POLY1305 cipher suites in OpenSSL could allow an unauthenticated, remote attacker to cause a targeted system to crash, resulting in a denial of service (DoS) condition.The vulnerability is due to improper validation of user-supplied data by the affected software.

An attacker could exploit this vulnerability by submitting large amounts of crafted data to the *-CHACHA20-POLY1305 cipher suites of the affected software over a Transport Layer Security (TLS) connection.

A successful exploit could allow the attacker to cause the affected software to crash, resulting in a DoS condition on the targeted system.This vulnerability has been assigned the following CVE ID: CVE-2016-7054OpenSSL Montgomery Multiplication May Produce Incorrect Results VulnerabilityA vulnerability in OpenSSL could cause authentication or key negotiation failures, resulting in a denial of service (DoS) condition.The vulnerability is due to Montgomery multiplication mathematical errors that occur when using OpenSSL with elliptic curve algorithms.

The vulnerability may occur without any external attacker action when performing cryptographic operations.

Errors resulting from incorrect mathematical computations could cause OpenSSL to fail during authentication or key negotiation, resulting in a DoS.This vulnerability has been assigned the following CVE ID: CVE-2016-7055For additional details about the vulnerabilities, refer to the November 2016 OpenSSL Security Advisory published by the OpenSSL Software Foundation.

Leave a Reply