CVE-2016-6309
published 2016-09-26CVE-2016-6309: statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
70.22%
99.3th percentile
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | — | — |
| openssl | openssl | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: crafted TLS handshake message with body size greater than 16KB causes realloc of init_buf, leaving init_msg pointer dangling (use-after-free in tls_get_message_body) ↗
- →No authentication required to exploit; attack is fully remote and unauthenticated against any OpenSSL 1.1.0a TLS server ↗
- →Detect oversized TLS handshake records (>16KB body) targeting OpenSSL 1.1.0a servers as a potential exploitation attempt for CVE-2016-6309 ↗
- →Vulnerable code path: read_state_machine() → tls_get_message_header() sets init_msg, then BUF_MEM_grow_clean() reallocates init_buf freeing the old buffer, then tls_get_message_body() dereferences the stale init_msg pointer ↗
- ·Vulnerability exclusively affects OpenSSL 1.1.0a; OpenSSL 1.1.0 users should upgrade to 1.1.0b. All other OpenSSL release series (1.0.x, etc.) are unaffected. ↗
- ·DTLS code path is not affected; the vulnerable realloc/use-after-free path is only reachable via the TLS (non-DTLS) handshake message processing branch ↗
- ·The vulnerability was introduced by the patch for CVE-2016-6307; deployments that applied the CVE-2016-6307 patch (OpenSSL 1.1.0a) without subsequently upgrading to 1.1.0b are at risk ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_cisco5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
vendor_cisco·2016-09-27·CVSS 5.5
CVE-2016-2177 [MEDIUM] CWE-119 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.”
Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.”
Of the 16 released vulnerabilities:
Fourteen track issues that could resu
Red Hat
openssl: Use After Free for large message sizes
vendor_redhat·2016-09-26·CVSS 9.8
CVE-2016-6309 [CRITICAL] CWE-416 openssl: Use After Free for large message sizes
openssl: Use After Free for large message sizes
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
Statement: This issue did not affect any Red Hat product as they do not yet include OpenSSL 1.1.0.
Package: openssl (Red Hat Enterprise Linux 4) - Not affected
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Package: openssl (Red Hat Enterprise Linux 6) - Not affected
Package: openssl098e (Red Hat Enterprise Linux 6) - Not affected
Package: openssl (Red Hat Enterprise Linux 7) - Not affected
Package: openssl098e (Red Hat Enterp
Debian
CVE-2016-6309: openssl - statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after ...
vendor_debian·2016·CVSS 9.8
CVE-2016-6309 [CRITICAL] CVE-2016-6309: openssl - statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after ...
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
vendor_cisco
CVE-2016-6309 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
CVE-2016-6309: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.” Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.” Of the 16 released vulnerabilities: Fourteen track issues that c
GHSA
GHSA-5qvw-r534-xcm4: statem/statem
ghsa_unreviewed·2022-05-14
CVE-2016-6309 [CRITICAL] CWE-416 GHSA-5qvw-r534-xcm4: statem/statem
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
No detection rules found.
No public exploits indexed.
arXiv
Automating Function-Level TARA for Automotive Full-Lifecycle Security
arxiv_fulltext·2025-04-25
Automating Function-Level TARA for Automotive Full-Lifecycle Security
Automating Function-Level TARA for Automotive Full-Lifecycle Security
Yuqiao Yang#
UESTC
[email protected]
Yongzhao Zhang#
UESTC
[email protected]
Wenhao Liu
GoGoByte Technology
[email protected]
Jun Li
GoGoByte Technology
[email protected]
Pengtao Shi
GoGoByte Technology
[email protected]
DingYu Zhong
UESTC
[email protected]
Jie Yang*
UESTC
[email protected]
Ting Chen*
UESTC
[email protected]
Sheng Cao
UESTC
[email protected]
Yuntao Ren
Chengdu Anheng Information
Technology Co., LTD
[email protected]
Yongyue Wu
Anheng Vision(Chengdu) Information
Technology Co., LTD
[email protected]
Xiaosong Zhang
UESTC
[email protected]
#1
[1] red#1
[1] blue#1
[1] brown#1
DefenseWeaver
## Abstract
As modern vehicles evolve
Tenable
[R7] Nessus 6.9 Fixes Multiple Vulnerabilities
blogs_tenable·2016-10-25
[R7] Nessus 6.9 Fixes Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)
blogs_fortinet·2016-10-12·CVSS 5.9
CVE-2016-6309 [MEDIUM] Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)
FORTIGUARD LABS THREAT RESEARCH
Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)
By Dehui Yin | October 12, 2016
OpenSSL released an emergency security update shortly after a patch was issued a few weeks ago. This security update addresses a critical Use After Free vulnerability introduced by the updated code that revised to resolve the earlier low severity vulnerability CVE-2016-6307.
This critical Use After Free vulnerability (CVE-2016-6309) is caused by an error that occurs when relocating a message with an overlarge message size greater than 16k. Remote attackers may access the freed buffer to crash, or potentially even execute arbitrary code on vulnerable systems.
This Use After Free vulnerability only affects OpenSSL version 1.1.0a. In this report we
Qualys
Problem with OpenSSL Patches of September 22, 2016 | Qualys
blogs_qualys·2016-09-26·CVSS 9.8
CVE-2016-6309 [CRITICAL] Problem with OpenSSL Patches of September 22, 2016 | Qualys
Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.
The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.
The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.
### Related
Qualys
Problem with OpenSSL Patches of September 22, 2016 | Qualys
blogs_qualys·2016-09-26·CVSS 9.8
CVE-2016-6309 [CRITICAL] Problem with OpenSSL Patches of September 22, 2016 | Qualys
Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.
The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.
The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.
## Related content
Bugzilla
CVE-2016-6309 openssl: Use After Free for large message sizes
bugzilla·2016-09-26·CVSS 5.9
CVE-2016-6309 [MEDIUM] CVE-2016-6309 openssl: Use After Free for large message sizes
CVE-2016-6309 openssl: Use After Free for large message sizes
Quoting form the OpenSSL upstream advisory:
Fix Use After Free for large message sizes (CVE-2016-6309)
Severity: Critical
This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
The patch applied to address CVE-2016-6307 resulted in an issue where if a
message larger than approx 16k is received then the underlying buffer to store
the incoming message is reallocated and moved. Unfortunately a dangling pointer
to the old location is left which results in an attempt to write to the
previously freed location. This is likely to result in a crash, however it
could potentially lead to execution of arbitrary code.
OpenSSL 1.1.0 users should upgrade to 1.1.0b
This issue was reported to OpenSSL on 23rd September 2
Bugzilla
CVE-2016-6307 openssl: excessive allocation of memory in tls_get_message_header()
bugzilla·2016-09-21·CVSS 5.9
CVE-2016-6307 [MEDIUM] CVE-2016-6307 openssl: excessive allocation of memory in tls_get_message_header()
CVE-2016-6307 openssl: excessive allocation of memory in tls_get_message_header()
Quoting form the draft of the OpenSSL upstream advisory:
Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)
Severity: Low
A TLS message includes 3 bytes for its length in the header for the message.
This would allow for messages up to 16Mb in length. Messages of this length are
excessive and OpenSSL includes a check to ensure that a peer is sending
reasonably sized messages in order to avoid too much memory being consumed to
service a connection. A flaw in the logic of version 1.1.0 means that memory for
the message is allocated too early, prior to the excessive message length
check. Due to way memory is allocated in OpenSSL this could mean an attacker
could force up to 21Mb to be
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759http://www-01.ibm.com/support/docview.wss?uid=swg21995039http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/bid/93177http://www.securitytracker.com/id/1036885https://bto.bluecoat.com/security-advisory/sa132https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=acacbfa7565c78d2273c0b2a2e5e803f44afefebhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_ushttps://www.openssl.org/news/secadv/20160926.txthttps://www.tenable.com/security/tns-2016-16https://www.tenable.com/security/tns-2016-20http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759http://www-01.ibm.com/support/docview.wss?uid=swg21995039http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.securityfocus.com/bid/93177http://www.securitytracker.com/id/1036885https://bto.bluecoat.com/security-advisory/sa132https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=acacbfa7565c78d2273c0b2a2e5e803f44afefebhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_ushttps://www.openssl.org/news/secadv/20160926.txthttps://www.tenable.com/security/tns-2016-16https://www.tenable.com/security/tns-2016-20
2016-09-26
Published