There is a vulnerability in PolarSSL, an open-source SSL library used in a variety of products, that could enable an attacker to execute arbitrary code under some circumstances.
The vulnerability is the result of an uninitialized pointer in the PolarSSL code and researchers said that an attacker with knowledge of the target system may be able to exploit the flaw to run arbitrary code by using a malicious digital certificate. The bug was discovered by researchers at Certified Secure in the Netherlands and also found independently during an internal audit by PolarSSL.
“When a user controlled X.509 certificate is parsed by the PolarSSL library, the vulnerability allows for Remote Code Execution and a Denial of Service. The most common vulnerable scenario is a server using the PolarSSL library to verify client certificates,” the advisory from Certified Secure says.
“In this scenario a malicious client can exploit the server by presenting a crafted X.509 certificate. The vulnerability is triggered during parsing and before the actual validation of the certificate. Other scenarios include a malicious server presenting a crafted server certificate (exploiting the connecting clients) and any other (direct) callers of the X.509 parsing routines of the PolarSSL library.”
PolarSSL, which is part of ARM, is a crypto library that has both open source and commercial versions and is used in a number of applications, including OpenVPN and some Linksys and Gemalto products. The vulnerable versions include 1.0 and up to the PolarSSL 1.3.9 and PolarSSL 1.2.12.
PolarSSL has released a code fix for the vulnerability and is planning to release patched versions.