Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Matrix SSL patched for heap overflow and other bugs

Patches were issued for flaws in MatrixSSL, v3.8.5 and previous, according to an advisory from CERT. 

MatrixSSL is a cryptographic protocol designed for custom apps in embedded hardware environments.

CERT stated that in CVE-2016-6890, the Subject Alt Name field of X.509 certificates is not properly parsed. Thus a specially crafted certificate could result in a heap-based buffer overflow and arbitrary code execution.

In another bug, CVE-2016-6891, the ASN.1 Bit Field is not properly parsed. Here, a specially crafted certificate could lead to a denial-of-service condition due to an out-of-bounds read in memory, the advisory stated.

For CVE-2016-6892, the x509FreeExtensions() function does not properly parse X.509 certificates, CERT stated. A denial of service condition could result if a specially crafted certificate leads to a free operation on unallocated memory.

To patch these issues, users are advised to update with the vendor's v3.8.6.

Related

Antivirus updates exploited for GuptiMiner malware deployment

Intrusions hijacking the eScan antivirus software's updating mechanism have been conducted by threat actors suspected to be linked to North Korean advanced persistent threat operation Kimsuky to facilitate the delivery of the sophisticated GuptiMiner malware that would then distribute cryptocurrency mining payloads, according to BleepingComputer.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.