Vulnerability CVE-2016-9939

Vulnerability Name:

CVE-2016-9939 (CCN-122083)

Assigned:

2016-12-12

Published:

2016-12-12

Updated:

2019-06-01

Summary:

Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not enough content octets in the ASN.1 object, then the function will fail and the memory block will be zeroed even if its unused. There is a noticeable delay during the wipe for a large allocation.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2016-9939

Source: DEBIAN
Type: Third Party Advisory
DSA-3748

Source: CCN
Type: oss-sec Mailing List, Mon, 12 Dec 2016 18:34:07 -0500
Re: CVE Request: Potential DoS in Crypto++ ASN.1 parser

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[oss-security] 20161212 Re: CVE Request: Potential DoS in Crypto++ ASN.1 parser

Source: BID
Type: Third Party Advisory, VDB Entry
94854

Source: CCN
Type: BID-94854
Crypto++ CVE-2016-9939 Local Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
libcrypto-cve20169939-dos(122083)

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-812b77ed2e

Source: CCN
Type: libcrypto++ - Debian Package Web site
General purpose cryptographic library - shared library

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-9939

Vulnerable Configuration:

Configuration 1:

cpe:/a:cryptopp:crypto++:5.6.4:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7586	P	libcryptopp-devel-8.6.0-150400.1.6 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:785	P	Security update for rust1.62 (Moderate)	2022-09-28
oval:org.opensuse.security:def:3686	P	Security update for fwupd (Moderate)	2022-08-05
oval:org.opensuse.security:def:3002	P	SuSEfirewall2-3.6.312.333-3.13.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3496	P	gdk-pixbuf-loader-rsvg-2.40.20-5.6.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94608	P	libXfixes-devel-6.0.0-150400.1.4 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94632	P	libcryptopp-devel-8.6.0-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6192	P	Security update for libcaca (Important)	2022-03-14
oval:org.opensuse.security:def:73897	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:67281	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:76349	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:111738	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:64585	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:107987	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:101321	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:73707	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:117501	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:org.opensuse.security:def:64775	P	Security update for libcryptopp (Moderate)	2021-10-06
oval:com.ubuntu.xenial:def:201699390000000	V	CVE-2016-9939 on Ubuntu 16.04 LTS (xenial) - low.	2017-01-30
oval:com.ubuntu.artful:def:20169939000	V	CVE-2016-9939 on Ubuntu 17.10 (artful) - low.	2017-01-30
oval:com.ubuntu.xenial:def:20169939000	V	CVE-2016-9939 on Ubuntu 16.04 LTS (xenial) - low.	2017-01-30
oval:com.ubuntu.bionic:def:20169939000	V	CVE-2016-9939 on Ubuntu 18.04 LTS (bionic) - low.	2017-01-30
oval:com.ubuntu.precise:def:20169939000	V	CVE-2016-9939 on Ubuntu 12.04 LTS (precise) - low.	2017-01-30
oval:com.ubuntu.bionic:def:201699390000000	V	CVE-2016-9939 on Ubuntu 18.04 LTS (bionic) - low.	2017-01-30
oval:com.ubuntu.trusty:def:20169939000	V	CVE-2016-9939 on Ubuntu 14.04 LTS (trusty) - low.	2017-01-30
oval:org.cisecurity:def:1674	P	DSA-3748-1 -- libcrypto++ -- security update	2017-01-27

BACK