OpenSSL released an emergency security update shortly after a patch was issued a few weeks ago. This security update addresses a critical Use After Free vulnerability introduced by the updated code that revised to resolve the earlier low severity vulnerability CVE-2016-6307.

This critical Use After Free vulnerability (CVE-2016-6309) is caused by an error that occurs when relocating a message with an overlarge message size greater than 16k. Remote attackers may access the freed buffer to crash, or potentially even execute arbitrary code on vulnerable systems.

This Use After Free vulnerability only affects OpenSSL version 1.1.0a. In this report we will look into the codes to figure out what really happened.

OpenSSL uses structure "ssl_st" to handle an SSL session, and includes two important buffer pointers: "init_buf" and init_msg. "init_buf" points to the buffer used during initialization, and "init_msg" points to the handshake message body, which is included by the buffer pointed to by "init_buf".

This vulnerability can be exploited by accessing the incorrect "init_msg" pointer, which does not update correspondingly when "init_buf" is updated after reallocation. The following code snippet was taken from OpenSSL 1.1.0a. Comments added by me have been highlighted. The argument "SSL *s" is defined as "struct ssl_st" in these functions.

The crash occurs when OpenSSL frees the buffer. Following is an image of a portion of the affected OpenSSL server:

Please note that authentication is NOT required to exploit this vulnerability.

Fortinet released IPS signature OpenSSL.Large.Message.Size.Handling.UAF to address this vulnerability.