Protocol implementation errors

Bill Frantz frantz at pwpconsult.com
Thu Oct 2 17:50:21 EDT 2003


From:

>                 -- Security Alert Consensus --
>                       Number 039 (03.39)
>                  Thursday, October 2, 2003
>            Network Computing and the SANS Institute
>                      Powered by Neohapsis
>
>*** {03.39.004} Cross - OpenSSL ASN.1 parsing vulns
>
>OpenSSL versions 0.9.6j and 0.9.7b (as well as prior) contain multiple
>bugs in the parsing of ASN.1 data, leading to denials of services. The
>execution of arbitrary code is not yet confirmed, but it has not been
>ruled out.

This is the second significant problem I have seen in applications that use
ASN.1 data formats.  (The first was in a widely deployed implementation of
SNMP.)  Given that good, security conscience programmers have difficultly
getting ASN.1 parsing right, we should favor protocols that use easier to
parse data formats.

I think this leaves us with SSH.  Are there others?

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz        | "There's nothing so clear as   | Periwinkle
(408)356-8506      | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble     | Los Gatos, CA 95032


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list