The National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten the awareness of multiple buffer overflows in OpenSSL (Open Secure Sockets Layer) version 0.9.6d or earlier and 0.97-beta2 or earlier. OpenSSL is a widely deployed, open source implementation of the SSL and Transport Layer Security (TLS) protocols. The SSL and TLS protocols are used to provide a secure connection between a client and a server for higher level protocols. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code on a vulnerable server or client system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the identified vulnerabilities:
(CAN-2002-0655) OpenSSL versions 0.9.6d and earlier, and 0.9.7-beta2, experience several buffer overflow vulnerabilities if running on 64-bit platforms.
(CAN-2002-0657). Kerberos-enabled OpenSSL 0.9.7-beta2 servers have a buffer overflow on the stack that may allow a remote attacker to execute arbitrary code. Description:
OpenSSL is a software package that uses strong cryptography in authentication systems, mail servers, and web servers. Affected versions of OpenSSL include 0.9.6d or earlier and 0.9.7-beta2 or earlier. While there have been no reported victims, the NIPC is issuing this advisory to emphasize the significance of these vulnerabilities. System administrators should be aware that attackers could exploit these vulnerabilities to gain remote access which could provide the attacker with the ability to take any action desired, such as installing malicious code, running programs, reconfiguring, adding, changing, or deleting files. Additional information may be found at the following sites:
OpenSSL Security Advisory
CERT Advisory CA-2002-23
The NIPC strongly urges the community to take recommended actions to either apply patches from their vendors or consider upgrading to version OpenSSL 0.9.6e, which according to the OpenSSL Project team contains fixes for all the vulnerabilities reported on earlier.
The NIPC encourages recipients
of this advisory to report computer intrusions to their local FBI office
( http://www.fbi.gov/contact/fo/fo.htm )
and other appropriate authorities. Recipients may report incidents online
to http://www.nipc.gov/incident/cirr.htm .
The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206
or firstname.lastname@example.org .