Executive Summary

This vulnerability in ixray-1.6-stcop is related to a memory leak issue when parsing ASN.1 combined structures such as PKCS#7 or CMS data. The problem arises because, on error, a pointer to the parent structure is incorrectly zeroed, causing additional components in the parent structure to be leaked. This issue stems from the project using a cloned OpenSSL file that did not receive a critical security patch addressing this problem.

The vulnerability corresponds to CVE-2015-3195 in the original OpenSSL project and was fixed by applying a patch that prevents zeroing the parent pointer on error, thereby eliminating the memory leak.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a memory leak during the parsing of certain cryptographic data structures. While it does not directly compromise confidentiality, integrity, or availability of data, the memory leak could potentially be exploited to degrade system performance or cause denial of service by exhausting memory resources.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is related to a memory leak in the ixray-1.6-stcop project when parsing ASN.1 combined structures such as PKCS#7 or CMS data. Detection would involve identifying if the vulnerable version of ixray-1.6-stcop (before 1.3) is in use and if it processes such ASN.1 data.

No specific detection commands or network/system scanning commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ixray-1.6-stcop to version 1.3 or later, where the fix for this vulnerability has been applied.

The fix involves applying a patch from OpenSSL that prevents the memory leak by correctly handling the parent pointer during ASN.1 decoding errors.

Useful 0 Not Useful 0